Hello. Bit of a niche question, but I’m using a third party host such as digital ocean to run my local instance of n8n. I’ve also added extra security layers with cloud flare to protect my domain so that only I can access the domain for my n8n flow. Because of this, any webhooks that I need activated won’t work because of that extra layer of authentication, to combat this, I’ve bypassed all webhooks to work with service tokens (inside of cloudflare). When I test my webhooks inside of post man for a simple tool call inside of n8n, it gives me a 200 response. So the webhooks are not able to be authorised for data transfer with these service tokens id and client secret headers. However, the tool call fails to work when I make a call using vapi, even tho within the tools section, I’ve added the appropriate headers and key values. Hopefully that makes sense, but I was wondering if Vapi is able to use those service tokens from cloudflare to allow the webhook url to bypass the cloudflare security. Thank you

@Ali M Hello! It's great to hear that you're taking security seriously with your n8n setup. VAPI is designed to be flexible and can indeed send custom headers with its requests, which should allow you to use service tokens for authentication with Cloudflare. To ensure that VAPI sends the appropriate headers with its webhook calls, you'll need to include the service token ID and client secret in the headers of your VAPI request. You mentioned that you've already added the appropriate headers and key values in the tools section, which is the correct approach. Here's a general example of how you might include custom headers in a VAPI request using cURL:

bash
curl --request POST \
  --url https://api.vapi.ai/your-webhook-endpoint \
  --header 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  --header 'CF-Access-Client-Id: YOUR_SERVICE_TOKEN_ID' \
  --header 'CF-Access-Client-Secret: YOUR_CLIENT_SECRET' \
  --data '{
    "data": "your_payload"
}'

Make sure to replace

YOUR_ACCESS_TOKEN

,

YOUR_SERVICE_TOKEN_ID

,

YOUR_CLIENT_SECRET

, and

your_payload

with your actual access token, service token ID, client secret, and the payload you want to send. If you've set everything up correctly and are still experiencing issues, it's possible there may be a configuration error or an issue with how the headers are being passed through VAPI. In that case, please double-check your setup within VAPI to ensure that the headers are correctly configured. If you continue to face difficulties, please ask support for more info on this, as they may need to look into your specific setup to provide a more tailored solution.

Where would I put these headers exactly? In the tool itself? @Vapi

@Ali M Yes, you would include these headers directly in the configuration of the tool you're using within VAPI. When setting up your API call in VAPI, you should find a section where you can define custom headers for the HTTP request. This is where you would input the service token ID and client secret headers required by Cloudflare. Here's a simplified example of what the header configuration might look like in a JSON format, which you could use in the VAPI tool settings:

json
{
  "headers": {
    "CF-Access-Client-Id": "your_service_token_id",
    "CF-Access-Client-Secret": "your_client_secret"
  }
}

Replace

your_service_token_id

and

your_client_secret

with your actual Cloudflare service token ID and client secret. When you configure your tool call in VAPI, ensure that these headers are included in the request being sent to your n8n instance. If you're unsure where to add these in the VAPI interface or if the tool you're using doesn't seem to support custom headers, please ask support for more info on this, and they can guide you through the process.

I try this, but whenever I try to make the tool call it doesn’t work inside vapi, it works from postman, which tells me that it’s a vapi issue? Do I only need to include these headers at the tool level or also the assistant level if possible? @Vapi

@Ali M If the tool call works from Postman but not from within VAPI, it suggests that there might be an issue with how VAPI is handling the headers or making the request. You should only need to include these headers at the tool level, as that's where the actual HTTP request is being made. Here are a few steps you can take to troubleshoot the issue: 1. **Check Headers**: Ensure that the headers are correctly formatted and included in the tool configuration within VAPI. They should match exactly what you have in Postman. 2. **Check Endpoint URL**: Verify that the webhook URL is correct and accessible from the server where VAPI is running. 3. **Check Tool Configuration**: Make sure that the tool you're using in VAPI supports custom headers and that you're using the correct syntax for including them. 4. **Error Messages**: Look for any error messages or logs that VAPI provides when the tool call fails. This can give you clues about what's going wrong. 5. **VAPI Documentation**: Consult the VAPI documentation to ensure that you're using the tool correctly and that you're not missing any required configuration steps. 6. **Support**: If you've checked all of the above and the issue persists, it may be necessary to contact VAPI support for assistance. They can provide more detailed guidance and help identify if there's a bug or a configuration issue within VAPI. Since you're mentioning that it's a VAPI issue, and assuming you've already included the headers correctly at the tool level, it seems like the next step would be to reach out to VAPI support for further assistance. They would be able to provide more specific help tailored to your situation.

@Ali M as you've configured VAPI to include the required headers. Those should technically work to bypass Cloudflare's security layers. If it's not working as expected, it might be because of header misalignment. Could you share the recent call ID so I can take a look? https://cdn.discordapp.com/attachments/1328134881556959264/1328333096780566599/Screenshot_2025-01-13_at_17.25.10.png?ex=67865219&is=67850099&hm=e3a9da2ecddc72bfe6440ed028f1283bdf792029a474fc7c7c3c4f6c99ff2a42&

the call id within vapi? with the headers?

@Ali M call id is unique to each call, you can get the call id from Vapi dashboard. - Goto Vapi Dashboard - Navigate to left side of dashboard (navbar) and look for logs > calls - Copy the Id under call ID. Make sure to share the recent call's call id.