For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Log inSign up
Support
GuidesReference
GuidesReference
    • Core
      • Overview
      • Webhook signature validation
        • make_webhook_validation_dependency
        • validate_request
        • validate_webhook_signature
    • Agents
      • Overview
      • AgentBase
      • AgentServer
      • BedrockAgent
      • CLI Tools
      • Configuration
      • ContextBuilder
      • DataMap
      • FunctionResult
      • Helper Functions
      • LiveWire
      • MCP Gateway
      • PomBuilder
      • Prefabs
      • Search
      • SkillBase
      • Skills
      • SWAIGFunction
      • SWMLBuilder
      • SWMLService
      • WebService
    • RELAY
      • Overview
      • Actions
      • Call
      • Constants
      • Events
      • Message
      • RelayClient
      • RelayError
    • REST Client
      • Overview
      • Addresses
      • Calling
      • Chat
      • Compat
      • Datasphere
      • Fabric
      • Imported Numbers
      • Logs
      • Lookup
      • MFA
      • Number Groups
      • Phone Numbers
      • Project
      • PubSub
      • Queues
      • Recordings
      • Registry
      • RestClient
      • Short Codes
      • SignalWireRestError
      • SIP Profile
      • Verified Callers
      • Video
LogoLogoSignalWire Docs
Log inSign up
Support
On this page
  • Validators
  • Module constants
Core

Webhook signature validation

|View as Markdown|Open in Claude|
Was this page helpful?
Edit this page
Previous

make_webhook_validation_dependency

Next
Built with

The signalwire.core.security module verifies that an incoming webhook was signed by SignalWire with your Signing Key. Use it to protect custom (non-AgentBase) servers that receive SWML, SWAIG, or Compatibility callbacks.

SignalWire sends the signature in the X-SignalWire-Signature request header. The legacy X-Twilio-Signature header is accepted as an alias so callers migrating from the Compatibility SDK keep working unchanged.

If you build agents with AgentBase, you do not need these helpers — set the signing_key constructor parameter and the SDK validates the POST /, /swaig, and /post_prompt endpoints automatically. Use the standalone validators when you serve webhooks from your own framework or routes.

Validators

validate_webhook_signature

Validate a signature against the raw request body. The primary standalone validator.

validate_request

Legacy-compatible validator that accepts a raw body or pre-parsed form params.

make_webhook_validation_dependency

Build a FastAPI Depends() that enforces signature validation on a route.

Module constants

The module also exports the two recognized signature header names:

1from signalwire.core.security import (
2    SIGNALWIRE_SIGNATURE_HEADER,    # "x-signalwire-signature"
3    TWILIO_COMPAT_SIGNATURE_HEADER, # "x-twilio-signature"
4)