Why do manufacturing and professional services businesses use Synology Chat with AI agents?
Many Australian manufacturers, logistics operators, and professional services firms run Synology NAS devices and use Synology Chat as their internal messaging platform. It is self-hosted, private, and carries no per-user cloud subscription cost. Connecting AI systems to Synology Chat means staff get automated, intelligent responses inside the tool they already use every day.
Kernel Flow builds and deploys custom AI systems that integrate directly into existing business tools, including Synology Chat. The integration uses a webhook architecture so users can message an AI agent in a direct message and receive a response in the same conversation. No new software. No additional logins.
How does the Synology Chat AI integration actually work?
The integration connects Synology Chat and an AI agent gateway using two webhooks. When a user sends a direct message to the bot, Synology fires an outgoing webhook to the AI gateway. The gateway processes the message and sends a response back through an incoming webhook URL. The reply appears in the user's DM conversation within seconds.
Outgoing webhook (Synology to AI gateway): Fires when a user sends a DM to the bot. Includes the user's message, their numeric user ID, and a secret token for authentication.
Incoming webhook (AI gateway to Synology): Delivers the AI-generated response back into Synology Chat. The reply appears as a bot message in the same DM thread the user started.
No persistent connections required: The architecture uses simple HTTP request-response cycles with no WebSocket complexity, making it straightforward to deploy and maintain.
What are the exact configuration steps to set up Synology Chat with an AI agent?
Setup has two sides: Synology Chat admin configuration and AI gateway configuration. Both must be completed before the integration runs. Kernel Flow handles end-to-end deployment for clients, typically completing secure configurations within 48 hours.
Step 1: Create an incoming webhook in Synology Chat: In the Synology Chat admin panel, create an incoming webhook integration. This generates a URL that the AI gateway will use to deliver responses. Copy this URL before moving on.
Step 2: Create an outgoing webhook in Synology Chat: Create an outgoing webhook in the admin panel. Set a strong, random secret token. Point the webhook URL to your AI gateway endpoint, for example: https://gateway-host/webhook/synology.
Step 3: Configure the AI gateway: Add the Synology Chat channel to the gateway configuration using your outgoing token and the incoming webhook URL. Set the DM policy, rate limits, and allowed user IDs before restarting the gateway.
Step 4: Test by sending a direct message: Send a DM to the bot account in Synology Chat. A correct response confirms both webhooks are working and the token authentication is passing through your network correctly.
A minimal configuration block for the AI gateway looks like this: set enabled to true, include the outgoing webhook token, provide the incoming webhook URL from Synology, set the webhook path to /webhook/synology, define the DM policy as allowlist, list allowed user IDs, cap the rate limit at 30 requests per minute, and set allowInsecureSsl to false.
How does token authentication protect the Synology Chat AI integration?
Every inbound webhook request from Synology Chat must carry a valid authentication token. The gateway checks for the token in four locations in order: the POST body field named token, a query parameter named token, standard headers including x-synology-token and x-webhook-token, and an Authorization Bearer header. If the token is missing or incorrect, the request is rejected immediately with no fallback.
Token verification uses constant-time comparison to prevent timing attacks. This is a critical security detail for businesses handling sensitive operational or client data through their AI agent.
A common deployment issue: if a reverse proxy such as nginx, Traefik, or Caddy sits in front of the gateway, confirm it passes non-standard headers through without stripping them. Proxies that drop the x-synology-token header will cause every request to fail with an invalid token error. Check proxy header forwarding rules before troubleshooting the integration itself.
What access control options exist for AI agents in Synology Chat?
Controlling who can interact with an AI agent is critical in production environments, particularly for businesses in insurance, professional services, or wholesale distribution where the AI agent has access to sensitive data or internal systems. Three DM policies are available.
Allowlist (recommended for production): Only users whose numeric Synology user IDs appear in the allowed list can message the bot. All other users are silently rejected. If the allowlist policy is set but the user ID list is empty, the gateway refuses to start the webhook route, preventing accidental open deployments.
Open (testing only): Any Synology Chat user can message the bot. Appropriate for internal testing but should not be used in production where the AI agent has access to business-critical systems or data.
Disabled: Blocks all direct messages to the bot. Use this to take the channel offline temporarily without removing the configuration entirely.
For ongoing user management, a pairing system allows administrators to approve new users through a controlled onboarding flow rather than editing configuration files directly. This is the recommended approach for mid-market businesses with changing teams.
What should operations leaders know before deploying AI agents in Synology Chat?
The Synology Chat integration is well-suited to businesses that prioritise data privacy and already run on-premise infrastructure. Self-hosted deployments mean message data does not leave your network. For manufacturers, logistics companies, and professional services firms handling client-sensitive information, this is a significant advantage over cloud-hosted alternatives like Slack or Microsoft Teams.
Kernel Flow configures and deploys these integrations end-to-end. This includes webhook setup, token security, access control policies, reverse proxy configuration, and user onboarding workflows. The result is a production-ready AI messaging system embedded in the tools your team already uses, with no additional software for staff to learn.
Reverse proxy header forwarding: Confirm your nginx, Traefik, or Caddy configuration passes authentication headers through to the gateway. Dropped headers are the most common cause of failed webhook requests.
Allowlist user IDs before go-live: Populate the allowed user ID list before switching the DM policy to allowlist in production. An empty allowlist causes the gateway to reject the route configuration entirely.
Rate limiting protects system performance: Set rate limits per user per minute to prevent a single high-volume user from degrading response times for the rest of the team. A default of 30 requests per minute suits most mid-market deployments.
SSL must be enforced in production: Set allowInsecureSsl to false in all production environments. Insecure connections expose webhook tokens and message content to interception.
