Skip to main content
OpenSRE’s Rocket.Chat integration delivers investigation findings to any channel your user or bot account can post to — useful for teams running self-hosted or cloud Rocket.Chat workspaces. Start the interactive shell with opensre (no subcommand). Slash commands below are run from that REPL.
Rocket.Chat support is outbound delivery only (investigation reports posted to a channel). Triggering investigations from Rocket.Chat chat is not supported yet.

Prerequisites

  • A Rocket.Chat workspace (self-hosted or cloud) and its base URL, e.g. https://chat.example.com.
  • An account allowed to post in the destination channel. A dedicated bot account is recommended so findings are not attributed to a personal user.
  • The Personal Access Tokens feature enabled on the server (Admin → Settings → Accounts → Personal Access Tokens, on by default in most installs) — or admin access to create an incoming webhook.

Pick a mode

You can configure both — when both are present, delivery prefers the webhook.

Step 1 (token mode): Create a Personal Access Token

  1. Sign in to Rocket.Chat with the account that should post findings.
  2. Open My Account → Personal Access Tokens (avatar menu → My Account).
  3. Enter a token name (e.g. opensre) and select Add. Leave Ignore Two Factor Authentication checked unless your policy requires otherwise.
  4. Rocket.Chat shows the token and your user ID once. Copy both — the token is your auth_token and the ID is your user_id. Treat the token like a password.
If you missed the user ID, it is also shown when you regenerate the token, or under Admin → Users for admins.

Step 1 (webhook mode): Create an incoming webhook

  1. As an admin, open Administration → Workspace → Integrations → New → Incoming.
  2. Enable the integration, set a name (e.g. opensre), pick the destination channel, and choose the user the messages post as.
  3. Select Save. Rocket.Chat shows the Webhook URL (https://<server>/hooks/<id>/<token>). Copy it — the token is embedded in the URL, so treat the whole URL like a password.

Step 2 (token mode): Pick a destination channel

Findings are posted with the standard chat.postMessage REST endpoint, so the destination accepts the same formats Rocket.Chat does: Make sure the token’s account is a member of the channel (or has permission to post there).

Step 3: Configure the integration

Interactive shell:
CLI:
Choose Rocket.Chat from the integration list, then pick token, webhook, or both. The wizard prompts for:
  • Token mode: Server URL (ROCKETCHAT_SERVER_URL), personal access token (system keyring, not plain .env), user ID (ROCKETCHAT_USER_ID), and default channel (ROCKETCHAT_DEFAULT_CHANNEL)
  • Webhook mode: webhook URL — saved to the integration store only (~/.opensre/integrations.json), never written to .env, since the URL embeds its token
Credentials are also saved to ~/.opensre/integrations.json via upsert_integration("rocketchat", ...).

Option B: Environment variables

Set in .env:
OpenSRE picks these up at startup and registers Rocket.Chat as an active integration.

Step 4: Verify

Interactive shell:
Or:
CLI:
With token credentials configured, this calls Rocket.Chat’s /api/v1/me endpoint and reports the authenticated @username. With webhook-only configuration, it runs a non-posting reachability probe against the webhook URL (a 404 means the URL or its embedded token is wrong; no message is delivered by the probe). You can also trigger a real delivery test against a bundled fixture: Interactive shell:
CLI:
Findings should appear in the configured channel as a message with an attachment titled Investigation Complete. Long reports are truncated to 4,096 characters.

Troubleshooting

/integrations verify rocketchat only calls /api/v1/me, so it surfaces credential errors but cannot detect channel-routing problems. Delivery-time errors only show up when an investigation actually posts; they appear in OpenSRE logs as [rocketchat] post message failed: <error>. Rocket.Chat auth failed: auth_token or user_id is invalid or expired. The token was revoked or the user ID does not match the token’s account. Regenerate the token under My Account → Personal Access Tokens and update both values. error-room-not-found (delivery-time) The channel in ROCKETCHAT_DEFAULT_CHANNEL does not exist or the token’s account cannot see it. Check the spelling (including the # prefix) and make sure the account is a member of the channel. Rocket.Chat API check failed: <connection error> ROCKETCHAT_SERVER_URL is wrong or unreachable from the machine running OpenSRE. Confirm the URL opens in a browser and includes the scheme (https://). Rocket.Chat webhook returned 404; the URL looks invalid. The webhook was deleted, disabled, or the URL was copied incompletely. Open Administration → Integrations, confirm the incoming webhook is enabled, and copy the full URL again. Findings never arrive, but verify passes /api/v1/me only confirms token credentials and the webhook probe only confirms reachability; neither tests a real delivery. In token mode, confirm ROCKETCHAT_DEFAULT_CHANNEL is set — without it (and without a webhook), delivery is silently skipped (logged as rocketchat delivery: skipped). In webhook mode, confirm the webhook is enabled and posts to the channel you expect.