About webhooks
Webhooks allow you to receive real-time notifications when a call is completed, eliminating the need to manually check for updates. By setting up a webhook, you can automatically capture call status, lead details, transcripts, and more, making it easy to integrate Synthflow AI with your existing workflows.
With webhooks, you can:
- Log call data in your CRM after an interaction.
- Trigger follow-up actions based on call outcomes.
- Monitor call performance in real-time.
To set up a webhook, provide a webhook URL in your API request. When the call is completed, Synthflow AI will send a structured response to your endpoint with details like call status, duration, and executed actions.
Webhook security
Overview
Synthflow signs every webhook payload with an HMAC using your shared secret key. The resulting signature, included in the HTTP_SYNTHFLOW_SIGNATURE
header, lets you confirm that the payload came from Synthflow and was not altered in transit.
Why signature validation matters
While TLS (HTTPS) protects against eavesdropping and tampering during transit, it does not guarantee that the request is genuinely coming from Synthflow. Without signature validation, an attacker who discovers or guesses your webhook URL can send forged payloads. These spoofed calls could trigger workflows, write bad data, or corrupt your system. Without a secret key, for example, a malicious actor could create fraudulent appointments in your CRM by replaying fake call payloads.
How to secure your webhooks
-
Go to Settings > Security > Webhooks and generate a secret key. Synthflow uses this key to generate a signature that is included in the webhook HTTP header for every call.
-
Send the signature header with every webhook. Synthflow uses the
call_id
as the payload and signs it with your secret key before adding it to theHTTP_SYNTHFLOW_SIGNATURE
header.htSynthflow includes this header on both inbound webhooks and post-call webhooks.
-
Verify the signature on your side using the same secret key and the received
call_id
.If the output is
True
, the payload originated from Synthflow and was not altered in transit.
Technical details
- Uses HMAC-SHA256 for signature generation
- Secret keys are 256-bit (32 bytes) cryptographically secure random values
- Signatures are base64-encoded for safe transmission
- Uses constant-time comparison to prevent timing attacks