You can use the x-retell-signature header together with your Retell API Key to verify the webhook comes from Retell AI, not from a malicious third party. We have provided verify function in our SDKs to help you with this.
Only the api key that has a webhook badge next to it can be used to verify the webhook.
100.20.5.228.
The following code snippets demonstrate how to verify and handle the webhook in Node.js and Python.
Install the SDK
Install the corresponding Python or Node.js SDK:
Sample Code
// install the sdk: https://docs.retellai.com/get-started/sdk
import { Retell } from "retell-sdk";
import express from "express";
const app = express();
// Use raw body for signature verification, not JSON.stringify(req.body).
app.use(express.raw({ type: "application/json" }));
app.post("/webhook", (req, res) => {
const rawBody = req.body.toString("utf-8");
if (
!Retell.verify(
rawBody,
process.env.RETELL_API_KEY,
req.headers["x-retell-signature"],
)
) {
console.error("Invalid signature");
return;
}
const {event, call} = JSON.parse(rawBody);
// process the webhook
// Acknowledge the receipt of the event
res.status(204).send();
});
