ResourcesSecurity and privacy

Retrieve call artifacts

Download recordings and call logs from Vapi’s private storage using authenticated, short-lived URLs.

Overview

For HIPAA-enabled organizations, call recordings and logs are stored in a private bucket. These URLs are not directly downloadable.

To retrieve a recording or log file, call the Vapi API with your Private API Key. The API responds with a 302 redirect to a short-lived, authenticated download URL.

Never expose your Private API Key in client-side code or commit it to version control. Store it as a secret in your backend environment.

Get your Private API Key

  1. Open the Vapi Dashboard.
  2. Go to ManageAPI Keys.
  3. Copy the value of your Private API Key.

Integration

To download or retrieve a recording or log file, send your Private API Key in the Authorization header:

Authorization: Bearer <PRIVATE_API_KEY>

Each endpoint responds with a 302 redirect to a short-lived signed URL. Most HTTP clients follow redirects by default — for example, curl -L follows the redirect and downloads the artifact in a single command.

Available endpoints

Base URL: https://api.vapi.ai

EndpointReturns
GET /call/{id}/mono-recordingCombined mono recording (WAV/MP3)
GET /call/{id}/stereo-recordingStereo recording, customer + assistant on separate channels (WAV/MP3)
GET /call/{id}/customer-recordingCustomer-only mono recording (WAV/MP3)
GET /call/{id}/assistant-recordingAssistant-only mono recording (WAV/MP3)
GET /call/{id}/video-recordingVideo recording, when enabled (MP4)
GET /call/{id}/call-logsStructured call logs (gzipped JSONL)
GET /call/{id}/pcapPacket capture, when enabled (PCAP)

Example

Download a stereo recording for a given call:

$curl -L \
>  -H "Authorization: Bearer $VAPI_PRIVATE_API_KEY" \
>  -o recording.wav \
>  https://api.vapi.ai/call/<CALL_ID>/stereo-recording

Download call logs:

$curl -L \
>  -H "Authorization: Bearer $VAPI_PRIVATE_API_KEY" \
>  -o call-logs.jsonl.gz \
>  https://api.vapi.ai/call/<CALL_ID>/call-logs

Signed URLs returned by these endpoints expire after a short period. Always request a fresh URL from the API rather than caching the redirect target.