You can use the x-retell-signature header together with your Retell API Key to verify the webhook comes from Retell AI, not from a malicious third party. We have provided verify function in our SDKs to help you with this.
Only the api key that has a webhook badge next to it can be used to verify the webhook.
You can also check and allowlist Retell IP addresses: 100.20.5.228
.
The following code snippets demonstrate how to verify and handle the webhook in Node.js and Python.
Install the SDK
Install the cooresponding Python or Node.js SDK:
Sample Code
// install the sdk: https://docs.retellai.com/get-started/sdk
import { Retell } from "retell-sdk";
import express, { Request, Response } from "express";
const app = express();
app.use(express.json());
app.post("/webhook", (req: Request, res: Response) => {
if (
!Retell.verify(
JSON.stringify(req.body),
process.env.RETELL_API_KEY,
req.headers["x-retell-signature"] as string,
)
) {
console.error("Invalid signature");
return;
}
const {event, call} = req.body;
// process the webhook
// Acknowledge the receipt of the event
res.status(204).send();
});