Flireo AI
WebsiteLinkedin
WebsiteLinkedin
  1. Webhooks
  • API Reference
    • Agents
      • List all agents
      • Create a new agent
      • Get an agent
      • Update an agent
      • Delete an agent
    • Tool Templates
      • List all tool templates
      • Create a new tool template
      • Get a tool template
      • Update a tool template
      • Delete a tool template
    • Numbers
      • List all phone numbers
      • Register a phone number
      • Get a phone number
      • Update a phone number
      • Delete a phone number
    • Calls
      • List calls
      • Get call by ID
      • Initiate outbound call
    • Call Control
      • Send control command to active call
    • Usage
      • Get usage logs
    • SIP Trunks
      • List SIP trunks
      • Create a SIP trunk
      • Get a SIP trunk
      • Delete a SIP trunk
    • Voices
      • List available voices
    • BYOK
      • Get BYOK configurations
      • Add BYOK configuration
      • Delete BYOK configuration
      • Get BYOK provider configurations
    • Domains
      • Get your domain
      • Add a domain
      • Delete your domain
      • List available Resend domains
      • Select and sync a Resend domain
      • Verify domain DNS records
      • Refresh domain status
    • Webhooks
      • Dynamic assistant configuration webhook
      • Tool/Function Call
      • Call Status Update
      • End of Call Report
    • Analysis Templates
      • List analysis templates
      • Create analysis template
      • Get analysis template
      • Update analysis template
      • Delete analysis template
    • Organization
      • Get organization information
    • Campaigns
      • List all campaigns
      • Create a campaign
      • Get a campaign
      • Update a campaign
      • Delete a campaign
      • List campaign leads
      • Add a lead
      • Remove a lead
  • Documentation
    • Get started
      • Quickstart
      • Introduction
      • Authentication
    • Core concepts
      • Agents
      • Phone numbers
      • Calls
      • Webhooks
    • Api's
      • Organization
      • Agents
      • Phone numbers
      • Sip trunks
      • Calls
      • Call control
      • Usage
      • Voices
      • BYOK
      • Domains
      • Analysis templates
      • Tool templates
    • Webhooks
      • Overview
      • Assistant request
      • Tool calls
      • Status update
      • End of call report
      • Security
    • Guides
      • BYOK Setup
      • Call analysis
      • Custom Tools
      • Call Transfers
      • xAI Realtime Integration
      • Analysis templates
      • Billing
      • Error codes
      • Rate limits
      • Sip Trunks
      • Tool templates
      • Troubleshooting
WebsiteLinkedin
WebsiteLinkedin
  1. Webhooks

Security

When you configure a webhook_secret on your agent, Flireo signs all webhook requests. You should verify these signatures to ensure requests come from Flireo.

Signature Format#

Flireo uses HMAC-SHA256 to sign webhooks. The signature is included in the X-Webhook-Signature header.

How It's Calculated#

message = timestamp + "." + raw_request_body
signature = HMAC-SHA256(secret, message)

Verification Examples#

Python#

Node.js#

Go#

PHP#

Best Practices#

1.
Always verify in production - Never skip signature verification in production
2.
Use timing-safe comparison - Prevent timing attacks with constant-time comparison
3.
Check timestamp freshness - Optionally reject requests older than 5 minutes to prevent replay attacks
4.
Store secret securely - Use environment variables, not hardcoded values
5.
Log verification failures - Monitor for suspicious activity

Timestamp Validation#

Optionally validate the timestamp to prevent replay attacks:
See WebhookHeaders Schema for header details.
Modified at 2025-12-29 14:27:19
Previous
End of call report
Next
BYOK Setup
Built with