The model
A trigger is a durable webhook-to-agent subscription over an endpoint you can already read. Once it exists, an agent drains events from it withtriggers.wait and acts on each one.
Register the trigger
triggers.create needs the triggers:write scope and an endpoint id:
id. That id is durable — the subscription outlives any single agent process. Register once; consume from anywhere.
The agent loop
The agent callstriggers.wait, acts on what comes back, and passes nextCursor forward. The cursor is the acknowledgement — persist it only after the work is done, and a crash re-reads rather than drops.
caughtUp is false you’re draining a backlog — re-invoke promptly. Once it’s true, you’ve reached the head; wait on your own cadence. triggers.wait returns immediately with whatever is past the cursor, so this is a short-poll consume, not a blocking push. The exact contract — cursors, ordering, at-least-once, body inlining — is on trigger semantics.
Why this is safe to hand an agent
triggers.wait creates no outbound egress. It’s read-consumption of events the caller can already read — the same data as events.list, delivered event-first instead of asked-for. That’s exactly why triggers are exposed over MCP when subscriptions.* and replayDestinations.* are not: those redirect where an org’s events go, an egress decision an agent must never make. Being woken by your own events steers nothing.
Trigger semantics
Cursors, at-least-once, ordering, body limits, and the API mirror.