
Only the API key that has a webhook badge next to it can be used to verify the webhook.
100.20.5.228.
The following code snippets demonstrate how to verify and handle the webhook in Node.js and Python.
Install the SDK
Install the corresponding Python or Node.js SDK:Sample Code
Verify Without SDK
If you’re using a language without an official Retell SDK, you can verify the webhook signature manually. The signature uses HMAC-SHA256.How the Signature Works
Every webhook request includes anX-Retell-Signature header in the format:
vis the Unix timestamp in milliseconds when the webhook was sent.dis the HMAC-SHA256 hex digest of the raw request body concatenated with the timestamp.
Verification Steps
- Extract the
X-Retell-Signatureheader from the request. - Parse the timestamp (
v) and digest (d) from the header using the patternv=(\d+),d=(.*). - Check that the timestamp is within 5 minutes of the current time (to prevent replay attacks).
- Compute
HMAC-SHA256(raw_body + timestamp, api_key)where+is string concatenation. - Compare the computed hex digest with the
dvalue from the header. If they match, the webhook is authentic.

