Sentrail integrates with Linear for both outbound proxy calls and inbound webhook evaluation.
OAuth setup
Go to Tools → Linear → Connect. After OAuth authorization, the access token is stored in tool_connections.config.access_token.
The OAuth callback URL is:
https://<project-ref>.supabase.co/functions/v1/linear-oauth-callback
Webhook configuration
Configure a webhook in your Linear workspace settings:
| Field | Value |
|---|
| URL | https://<project-ref>.supabase.co/functions/v1/webhook-linear |
| Secret | Copy from Sentrail → Tools → Linear → Webhook Secret |
Linear-Signature header containing a hex-encoded HMAC-SHA256 of the raw body. Sentrail verifies this using a timing-safe byte comparison.
Sentrail also checks webhookTimestamp in the payload and rejects events older than 5 minutes.
Workspace matching
Sentrail matches Linear webhooks to workspaces by:
config.organization_id: Linear organization IDconfig.team_id: Linear team ID
Both are compared against payload.organizationId and payload.data.teamId.
Proxy usage
Linear uses a single GraphQL endpoint. Replace the base URL and add the linear tool segment:
# Direct Linear API
curl -X POST https://api.linear.app/graphql \
-H "Authorization: Bearer lin_api_..." \
-H "Content-Type: application/json" \
-d '{"query":"mutation IssueCreate($input: IssueCreateInput!) { issueCreate(input: $input) { success } }","variables":{"input":{"title":"Bug","teamId":"TEAM_ID"}}}'
# Through Sentrail
curl -X POST https://<project-ref>.supabase.co/functions/v1/gateway-proxy/linear/graphql \
-H "Authorization: Bearer agk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-H "X-Agent-Id: my-agent" \
-H "Content-Type: application/json" \
-d '{"query":"mutation IssueCreate($input: IssueCreateInput!) { issueCreate(input: $input) { success } }","variables":{"input":{"title":"Bug","teamId":"TEAM_ID"}}}'
Authorization: Bearer <access_token> when forwarding to Linear.
Supported actions
Linear actions are classified by the GraphQL operation name extracted from the request body. Common examples:
| Operation | Action string | Risk level |
|---|
IssueCreate | issue.create | medium |
IssueUpdate | issue.update | medium |
IssueDelete | issue.delete | high |
CommentCreate | comment.create | medium |
ProjectCreate | project.create | medium |
ProjectDelete | project.delete | high |
Write-only GraphQL mutations are classified as medium or high risk by default. Pure queries are classified as read with low risk.