For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
CommunitySign Up
HomeGuidesVerbsAPI ReferenceSelf-HostingClient SDKsTutorialsChangelog
HomeGuidesVerbsAPI ReferenceSelf-HostingClient SDKsTutorialsChangelog
  • Get Started
    • jambonz Overview
    • Developer Quickstart
    • Deployment Options
    • Support Plans
    • jambonz.cloud
  • Using the jambonz portal
  • Features
    • Voice Agents
    • Using OpenAI STT
    • Custom STT providers
    • Custom TTS providers
    • Answering machine detection
    • Conferencing "coach" mode
    • Continous ASR
    • Handling ActionHook Delays
    • Managing media anchors
    • Call Recording
    • SIPREC Server
    • TTS Streaming
    • Dub tracks
    • Filler Noise
    • Securing HTTP Endpoints
    • API Rate Limits
    • Application Environment Variables
LogoLogo
CommunitySign Up
On this page
  • Verifying a signed request
Features

Securing HTTP Endpoints

Was this page helpful?
Edit this page
Previous

API Rate Limits

Next
Built with

This is important because your response to HTTP webhook requests will contain information that must be kept private between you and the jambonz platform. We recommend that you use HTTPS connections secured with TLS certificates for your endpoints, and that you additionally takes steps to verify that the incoming request was actually sent by jambonz, and not an imposter.

For the latter, you have two options:

  • You can use HTTP basic authentication to secure your endpoint with a username and password.
  • On the hosted platform, you can verify the signature of the HTTP request to know that it was sent by jambonz.

Verifying a signed request

The HTTP requests sent to you from the hosted platform will include a Jambonz-Signature header, which is a hash of the request payload signed with your webhook secret, which you can view (and when desired, change) in the self-service portal. Using that secret, you can verify that the request was actually sent by jambonz.

When using the Node.js SDK, this is done simply as http middleware.

1const express = require('express');
2const app = express();
3const {WebhookResponse} = require('@jambonz/node-client');
4
5
6app.use(WebhookResponse.verifyJambonzSignature('<your-webhook-secret>'));
7app.use('/', routes); /* only requests with valid signatures will get here */