Sutrena is the web runtime for AI agents. Three primitives — pages, forms, dashboards — any agent creates with one API call. Framework-agnostic. Works from Claude Code, Cursor, LangGraph, CrewAI, or any HTTP client.

How do I get started with Sutrena?

POST /api/trial to get an instant API key — no signup required. Then POST /api/forms with a template ID to create a hosted form with a matching dashboard in one call.

Does Sutrena support AI agents?

Yes. Sutrena includes 48 MCP tools for Claude Code, Cursor, and any MCP client. It also provides a full REST API, OpenAPI spec, llms.txt, and agent-optimized error messages.

How much does Sutrena cost?

Free: 10 projects, 500 submissions/form, 50MB storage. Builder: $9/month for 50 projects, 5,000 submissions/form, CSV export, upsert API. Pro: $29/month for 200 projects, unlimited submissions. Scale: $79/month for unlimited everything.

Can I embed Sutrena forms on my website?

Yes. Use the 2-line embed snippet or build a custom HTML form that POSTs JSON to the submit URL. Works with Framer, Webflow, WordPress, and any HTML site.

What happens to my data after the trial expires?

Unclaimed trial data is deleted after 24 hours. Visit the claimUrl to sign in with GitHub or Google and keep your data permanently. Or upgrade to Builder, Pro, or Scale.

Does Sutrena support webhooks?

Yes. Register webhook URLs to receive form submission events with HMAC-SHA256 signatures. Supports Slack and Discord payload templates, field mapping, and automatic retry with failure tracking.

Answers/What is HMAC webhook signing?

What is HMAC webhook signing?

Updated March 2026

HMAC webhook signing lets you verify that a webhook payload is real and hasn't been tampered with.

HMAC stands for Hash-based Message Authentication Code. It combines a hash function with a secret key to produce a signature. Only someone with the secret can compute the correct signature.

How it works in Sutrena: when a webhook fires, Sutrena computes an HMAC-SHA256 hash of the request body using your webhook secret. This hash goes in the X-Sutrena-Signature-256 header. On your server, you compute the same hash with your copy of the secret and compare. Match? The payload is authentic. No match? Someone is sending you forged data.

Two implementation details matter. First, use a constant-time comparison function. A naive === can leak timing information that lets an attacker guess the signature gradually. Node.js has crypto.timingSafeEqual for this. Second, compute the HMAC from the raw request body, not parsed-and-re-serialized JSON. JSON serialization doesn't guarantee key order or whitespace, so re-serializing can produce different bytes and a different hash.

You provide your own webhook secret when creating a webhook. Use a cryptographically random string of at least 32 characters. Sutrena doesn't generate secrets for you -- you control it from creation.

This is the same pattern GitHub, Stripe, and Shopify use. If you've verified webhooks from any of those, the Sutrena process is identical.

Can you skip verification? Yes. The webhook still delivers. But for production systems handling real data, HMAC verification is worth the few lines of code.

// Node.js webhook signature verification
const crypto = require("crypto");

function verifyWebhook(body, signature, secret) {
  const computed = crypto
    .createHmac("sha256", secret)
    .update(body, "utf8")
    .digest("hex");

  const sig = signature.replace("sha256=", "");

  return crypto.timingSafeEqual(
    Buffer.from(computed, "hex"),
    Buffer.from(sig, "hex")
  );
}

// In your Express handler:
app.post("/webhook", (req, res) => {
  const signature = req.headers["x-nishkala-signature-256"];
  const isValid = verifyWebhook(req.rawBody, signature, process.env.WEBHOOK_SECRET);

  if (!isValid) {
    return res.status(401).send("Invalid signature");
  }

  const data = JSON.parse(req.rawBody);
  // Process the submission...
  res.status(200).send("OK");
});

What is a form webhook? →Prevent form spam →What is a form submission API? →What is an API-first form builder? →

Ready to build?

Get a trial API key instantly — no signup required.

Start building Agent docs

What is HMAC webhook signing?

Related

Ready to build?