Server authentication

When configuring webhooks for your assistant, you can authenticate your server endpoints using either a secret token, custom headers, or OAuth2. This ensures that only authorized requests from Vapi are processed by your server.

Credential Configuration

Credentials can be configured at multiple levels:

Tool Call Level: Create individual credentials for each tool call
Assistant Level: Set credentials directly in the assistant configuration
Phone Number Level: Configure credentials for specific phone numbers
Organization Level: Manage credentials in the API Keys page

The order of precedence is:

Tool call-level credentials
Assistant-level credentials
Phone number-level credentials
Organization-level credentials from the API Keys page

Authentication Methods

Secret Token Authentication

The simplest way to authenticate webhook requests is using a secret token. Vapi will include this token in the X-Vapi-Signature header of each request.

Configuration

1 {
2   "server": {
3     "url": "https://your-server.com/webhook",
4     "secret": "your-secret-token"
5   }
6 }

Custom Headers Authentication

For more complex authentication scenarios, you can configure custom headers that Vapi will include with each webhook request.

This could include short lived JWTs/API Keys passed along via the Authorization header, or any other header that your server checks for.

Configuration

1 {
2   "server": {
3     "url": "https://your-server.com/webhook",
4     "headers": {
5       "Authorization": "Bearer your-api-key",
6       "Custom-Header": "custom-value"
7     }
8   }
9 }

OAuth2 Authentication

For OAuth2-protected webhook endpoints, you can configure OAuth2 credentials that Vapi will use to obtain and refresh access tokens.

Configuration (at the assistant-level)

1 {
2   "server": {
3     "url": "https://your-server.com/webhook"
4   },
5   "credentials": [
6     {
7       "provider": "webhook",
8       "authenticationPlan": {
9         "type": "oauth2",
10         "url": "https://your-server.com/oauth/token",
11         "clientId": "your-client-id",
12         "clientSecret": "your-client-secret",
13         "scope": "optional, only needed to specify which scopes to request access for"
14       }
15     }
16   ]
17 }

Configuration (via our Dashboard)

Visit the API Keys page

Go to https://dashboard.vapi.ai/keys to manage your OAuth2 credentials.

OAuth2 configuration in the Vapi dashboard

OAuth2 Flow

Vapi makes a request to your token endpoint with client credentials (Content-Type application/x-www-form-urlencoded)
Your server validates the credentials and returns an access token
Vapi includes the access token in the Authorization header for webhook requests
Your server validates the access token before processing the webhook
When the token expires, Vapi automatically requests a new one

OAuth2 Token Response Format

Your server should return a JSON response with the following format:

1 {
2   "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
3   "token_type": "Bearer",
4   "expires_in": 3600
5 }

Example error response:

1 {
2   "error": "invalid_client",
3   "error_description": "Invalid client credentials"
4 }

Common error types:

invalid_client: Invalid client credentials
invalid_grant: Invalid or expired refresh token
invalid_scope: Invalid scope requested
unauthorized_client: Client not authorized for this grant type

If using the OAuth2 flow for authenticating tool calls, make sure the server for the tool is the URL that should be hit after we have completed the token exchange.