> For a complete index of all SignalWire documentation pages, fetch https://signalwire.com/docs/llms.txt

# Webhook signature validation

> Validate SignalWire-signed webhook requests in custom server applications.

[agentbase]: /docs/server-sdks/reference/python/agents/agent-base

[validate-webhook-signature]: /docs/server-sdks/reference/python/core/security/validate-webhook-signature

[validate-request]: /docs/server-sdks/reference/python/core/security/validate-request

[make-webhook-validation-dependency]: /docs/server-sdks/reference/python/core/security/make-webhook-validation-dependency

The `signalwire.core.security` module verifies that an incoming webhook was signed by
SignalWire with your Signing Key. Use it to protect custom (non-`AgentBase`) servers that
receive SWML, SWAIG, or Compatibility callbacks.

SignalWire sends the signature in the `X-SignalWire-Signature` request header. The legacy
`X-Twilio-Signature` header is accepted as an alias so callers migrating from the
Compatibility SDK keep working unchanged.

If you build agents with [`AgentBase`][agentbase], you do not need these helpers — set
the `signing_key` constructor parameter and the SDK validates the `POST /`, `/swaig`, and
`/post_prompt` endpoints automatically. Use the standalone validators when you serve
webhooks from your own framework or routes.

## **Validators**

Validate a signature against the raw request body. The primary standalone validator.

Legacy-compatible validator that accepts a raw body or pre-parsed form params.

Build a FastAPI `Depends()` that enforces signature validation on a route.

## **Module constants**

The module also exports the two recognized signature header names:

```python
from signalwire.core.security import (
    SIGNALWIRE_SIGNATURE_HEADER,    # "x-signalwire-signature"
    TWILIO_COMPAT_SIGNATURE_HEADER, # "x-twilio-signature"
)
```