Webhooks
Receive real-time HTTP callbacks when calls are queued, finish, or are analyzed. Every payload is signed with HMAC-SHA256 in the X-Voice-Signature header.
Configuration
Set a default webhook URL for your organization:
- Dashboard: Settings → Webhook URL → Save
- API:
PATCH /dashboard/webhookwith{"webhook_url":"https://yourapp.com/voice/hooks"}
Override per call with webhook_url on POST /v1/calls/outbound — useful for multi-tenant SaaS routing events to the correct subscriber endpoint.
Each organization receives a unique webhook_secret at signup (stored hashed server-side). Use this secret to verify signatures — never expose it in client-side code.
Event types
| Event | When fired | Typical payload fields |
|---|---|---|
call.queued |
Immediately after outbound call is persisted | to, status, metadata |
call.ended |
Call completes or fails (Phase 2 worker) | status, duration_seconds, disposition |
call.analyzed |
Transcript and structured answers available | transcript, structured_answers, recording_url |
Envelope format
All events share a JSON envelope:
Additional fields are merged at the top level per event type. Timestamps are ISO 8601 UTC.
X-Voice-Signature
VoxBridge signs the raw JSON body with your organization's webhook secret:
Verification algorithm:
- Read the raw request body bytes (before JSON parsing).
- Compute
HMAC-SHA256(secret, body)as lowercase hex. - Compare to header value
sha256={digest}using a constant-time comparison.
Delivery behavior
- HTTP POST with
Content-Type: application/json - 15-second timeout per delivery attempt
- Success = HTTP 2xx response from your server
- Events are logged in
webhook_eventswithdeliveredflag and response code for dashboard debugging
Implement idempotent handlers keyed on call_id + event — retries may occur if your endpoint is slow or returns errors.