Hi VAPI Team, I'm encountering an issue where the X-Vapi-Signature header is consistently missing from webhook requests sent by VAPI to my server endpoint, leading to 401 errors from my handler (as it correctly expects the signature). I'm creating assistants via the VAPI API (POST /assistant). In the API request, I'm successfully setting the server.url and providing a server.secret. My assistant creation logs confirm the request payload includes the server.secret, and VAPI's API responds with a success. Webhook Behavior (Overall): This issue (missing X-Vapi-Signature and presence of x-vapi-secret: "") occurs for all webhook types I've observed (tool-calls, end-of-call-report, status-update, etc.) when a server.secret is configured for the assistant via the API. Could you please help investigate why the X-Vapi-Signature header is not being included in the webhooks, despite the server.secret being set during assistant creation via the API? Is there a known issue, a nuance in the configuration hierarchy, or a problem with how the secret is being processed for webhook signing on VAPI's end? Thank you!

Thanks for sharing all those details! I couldn't find enough info in our docs about the X-Vapi-Signature header or webhook signing in VAPI, so I'm escalating this to a human teammate who can dig deeper and get you a proper answer. For reference, I did find that

server.secret

is sent as the

x-vapi-secret

header ([source](https://discord.com/channels/1211482211119796234/1339956981297057892)), but nothing about the signature header or known issues. Hang tight—someone will follow up with you soon!

Hey, Could you please schedule a brief call at your convenience so we can discuss this matter in detail? Kindly use the following link to book a suitable time: .