About webhooks
Webhooks allow you to receive real-time notifications when a call is completed, eliminating the need to manually check for updates. By setting up a webhook, you can automatically capture call status, lead details, transcripts, and more, making it easy to integrate Synthflow AI with your existing workflows.
With webhooks, you can:
- Log call data in your CRM after an interaction.
- Trigger follow-up actions based on call outcomes.
- Monitor call performance in real-time.
To set up a webhook, provide a webhook URL in your API request. When the call is completed, Synthflow AI will send a structured response to your endpoint with details like call status, duration, and executed actions.
About webhook security
HMAC Signature Authentication
This document explains how to use HMAC (Hash-based Message Authentication Code) signatures to secure webhook communications.
Overview
The HMAC signature system provides a way to verify the authenticity and integrity of webhook payloads. It uses a shared secret key to generate and verify signatures, ensuring that messages haven’t been tampered with during transmission.
Getting Started
- Generate a Secret Key
First, you need to go to Synthflow UI and generate your secret. The secret is valid for a single workspace.
Each user and workspace will have a different secret key.
Navigate: Go to Integrations tab > Webhook Security tab > Click on button Generate Secret Key
- External webhook signature
We will use the call id as the payload and the secret key to generate the signature. We will send the signature in the header of the request when calling the user set webhook
- Verify the signature
The user can verify the signature using the secret key and the call id. Here is a sample code in python:
If the output of the function is true, then the signature is valid and comes from Synthflow.
Security Details
- Uses HMAC-SHA256 for signature generation
- Secret keys are 256-bit (32 bytes) cryptographically secure random values
- Signatures are base64-encoded for safe transmission
- Uses constant-time comparison to prevent timing attacks