For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
AcademyContact SalesHelp CenterDashboard
DocumentationAPI ReferenceIntegrationsAdministrationChangelog
DocumentationAPI ReferenceIntegrationsAdministrationChangelog
  • Get Started
    • Introduction
    • Aurora
  • Build
    • Create an Agent
    • The Agent Editor
    • Single-Prompt Agents
    • Memory
    • Knowledge Base
    • Variables
    • Version Control
  • Evaluate
    • Manual Testing
    • Custom Evaluations
    • Simulations
  • Launch
    • Deployment Options
    • WhatsApp
    • Website and Apps
    • Launching a Chat Agent
    • Workflows
  • Learn
    • Analytics Dashboard
    • Logs
    • Export Call Data
      • Overview
      • Webhook Security
      • Post-Call Webhook
      • Inbound Call Webhooks
  • Legal
    • Subscriber Terms
    • GTC - Direct Use (DACH)
    • GTC - Direct Use (US)
    • GTC - Distribution (DACH)
    • GTC - Distribution (US)
    • Business Associate Agreement
    • Privacy Policy
    • Imprint
    • AI Transparency Statement
    • Trust Vault
LogoLogo
AcademyContact SalesHelp CenterDashboard
On this page
  • Why signature validation matters
  • How to enable and verify webhook signatures
  • Technical details
LearnWebhooks

Webhooks Security

||View as Markdown|
Was this page helpful?
Previous

Post-Call Webhook

Next
Built with

Synthflow signs every webhook payload with an HMAC using your shared secret key. The resulting signature, included in the HTTP_SYNTHFLOW_SIGNATURE header, lets you confirm that the payload came from Synthflow and was not altered in transit.

Signature validation ensures authenticity (the sender is Synthflow) and integrity (the payload hasn’t been modified).

Why signature validation matters

While TLS (HTTPS) protects against eavesdropping and tampering during transit, it does not guarantee that the request is genuinely coming from Synthflow. Without signature validation, an attacker who discovers or guesses your webhook URL can send forged payloads. These spoofed calls could trigger workflows, write bad data, or corrupt your system.

Without a secret key, for example, a malicious actor could create fraudulent appointments in your CRM by replaying fake call payloads.

How to enable and verify webhook signatures

  1. Go to Settings > Security > Webhooks and generate a secret key. Synthflow uses this key to generate a signature that is included in the webhook HTTP header for every call.

  2. Send the signature header with every webhook. Synthflow uses the call_id as the payload and signs it with your secret key before adding it to the HTTP_SYNTHFLOW_SIGNATURE header.

    ht
    HTTP_SYNTHFLOW_SIGNATURE: abc123

    Synthflow includes this header on both the inbound webhook and the post-call webhook.

  3. Verify the signature on your side using the same secret key and the received call_id.

    1import hmac
    2import hashlib
    3import base64
    4
    5def generate_hmac_signature(secret_key: str, payload: str) -> str:
    6    signature = hmac.new(secret_key.encode(), payload.encode(), hashlib.sha256).digest()
    7    return base64.b64encode(signature).decode()
    8
    9def verify_hmac_signature(secret_key: str, payload: str, received_signature: str) -> bool:
    10    expected_signature = generate_hmac_signature(secret_key, payload)
    11    return hmac.compare_digest(expected_signature, received_signature)
    12
    13call_id = "123456789"
    14secret_key = "your-secret-key"
    15signature = "abc123"
    16is_signature_valid = verify_hmac_signature(secret_key, call_id, signature)
    17print(is_signature_valid)

    If the output is True, the payload originated from Synthflow and was not altered in transit.

Technical details

  • Uses HMAC-SHA256 for signature generation
  • Secret keys are 256-bit (32 bytes) cryptographically secure random values
  • Signatures are base64-encoded for safe transmission
  • Uses constant-time comparison to prevent timing attacks