I’m trying to do a webhook signature verification and cannot get it to verify ever. I’m using the API key value from settings, marked we “webhook”
The webhook signature verification requires using the x-retell-signature header together with your Retell API Key(1). You can use the verify function provided in Retell AI’s SDKs to handle this(1).
Here’s the sample code for Node.js:
// install the sdk: https://docs.retellai.com/get-started/sdk
import { Retell } from "retell-sdk";
import express, { Request, Response } from "express";
const app = express();
app.use(express.json());
app.post("/webhook", (req: Request, res: Response) => {
if (
!Retell.verify(
JSON.stringify(req.body),
process.env.RETELL_API_KEY,
req.headers["x-retell-signature"] as string,
)
) {
console.error("Invalid signature");
return;
}
const {event, call} = req.body;
// process the webhook
// Acknowledge the receipt of the event
res.status(204).send();
});
Key points to check:
- Only the API key that has a webhook badge next to it can be used to verify the webhook(1)
- You can allowlist Retell AI’s IP address:
100.20.5.228(1)(2) - The webhook has a timeout of 10 seconds(3)
If you’re not using Node.js or Python (which have SDK support), community members have reported issues with signature verification in other languages(4)(5). For PHP specifically, you need to use file_get_contents('php://input') instead of $request->json() or $request->input() to get the raw body(4).
Additionally, some users have reported that special characters in transcripts (like Spanish accents) can cause verification failures(6).
**