Skip to main content

Inbound Webhooks Reference

Inbound webhooks allow your systems to trigger actions in HuskyVoice AI (like starting a call) by sending authorized HTTP POST requests to a unique endpoint.

Inbound WebhookREST API
Best forNo-code tools, CRMs, Zapier, HubSpotCustom applications, backend integrations
AuthSecret Token in URLAPI Key in header

Endpoint Configuration

Every inbound webhook is assigned a unique Secret Token that identifies your organization.

  • Method: POST
  • URL Format: https://api.huskyvoice.ai/v1/hooks/{YOUR_SECRET_TOKEN}
  • Content-Type: application/json

Making a Call via Inbound Webhook

Follow these steps to trigger a call using your Inbound Webhook:

  1. Get your Secret Token — Find it in Dashboard → Integrations → Inbound Webhooks
  2. Set the action — Use call.create in the request body
  3. Add contact details — Include agent_id and contact_number at minimum
  4. Send the request — POST to https://api.huskyvoice.ai/v1/hooks/YOUR_SECRET_TOKEN
  5. Check the response — A call_id with status: queued confirms the call is initiated
curl -X POST https://api.huskyvoice.ai/v1/hooks/YOUR_SECRET_TOKEN \
     -H "Content-Type: application/json" \
     -d '{
       "action": "call.create",
       "data": {
         "agent_id": "agent_abc_123",
         "contact_number": "+919876543210",
         "contact_name": "John Doe"
       }
     }'

Sample Response:

{
  "success": true,
  "call_id": "call_abc_123",
  "status": "queued",
  "message": "Call has been queued successfully."
}
tip

Replace YOUR_SECRET_TOKEN with the token found in your HuskyVoice dashboard under Integrations → Inbound Webhooks.

Supported Actions

The request body must include an action and a corresponding data object.

1. call.create

Triggers an outbound call to a specific contact using a defined AI Agent.

Payload Schema:

{
  "action": "call.create",
  "data": {
    "agent_id": "agent_abc_123",
    "contact_number": "+919876543210",
    "contact_name": "John Doe",
    "contact_email": "john@example.com",
    "additional_info": {
      "order_id": "ORD_999",
      "priority": "high"
    }
  }
}
FieldTypeRequiredDescription
agent_idstringYesThe ID of the agent to use for the call.
contact_numberstringYesPhone number with country code (e.g., +91XXXXXXXXXX).
contact_namestringNoName of the recipient for AI context.
contact_emailstringNoEmail address for follow-up notifications.
additional_infoobjectNoKey-value pairs (max 25) for custom agent metadata.

2. call.cancel

Attempts to cancel a call that is still in a queued state.

Payload Schema:

{
  "action": "call.cancel",
  "data": {
    "call_id": "call_xyz_789"
  }
}
FieldTypeRequiredDescription
data.call_idstringYesThe call_id of the queued call to cancel.

3. call.delete

Permanently deletes a completed call and erases all associated end-customer PII (transcript, contact details, recording metadata). Only works on calls that have a recorded engagement (i.e., calls that were connected). See Deleting Calls for full details.

Payload Schema:

{
  "action": "call.delete",
  "data": {
    "call_id": "call_xyz_789"
  }
}
FieldTypeRequiredDescription
data.call_idstringYesThe call_id of the completed call to delete

Security & Verification (Optional)

If you enable Signature Verification for your webhook, HuskyVoice will validate the sender using HMAC-SHA256 signatures.

Headers

HeaderDescription
X-Inbound-TimestampCurrent Unix timestamp.
X-Inbound-SignatureThe HMAC-SHA256 signature string.

Signature Validation

Every incoming request from HuskyVoice includes a signature in the X-Inbound-Signature header. You must validate this on your server to confirm the request is genuine and has not been tampered with.

How to validate:

  1. Read the X-Inbound-Timestamp and X-Inbound-Signature headers from the incoming request
  2. Recreate the signature by hashing timestamp.rawBody using your Inbound Signing Secret
  3. Compare your generated signature with the one in the header
  4. Reject the request if they do not match — return 401 Unauthorized
# Compute the expected signature to compare with X-Inbound-Signature
SECRET="YOUR_INBOUND_SIGNING_SECRET"
TIMESTAMP="1748700000"
PAYLOAD='{"action":"call.create","data":{"agent_id":"agent_abc_123"}}'

printf '%s.%s' "$TIMESTAMP" "$PAYLOAD" | openssl dgst -sha256 -hmac "$SECRET"
# Compare the hex output with the X-Inbound-Signature header value
warning

Always reject requests that fail signature validation. Never process webhook payloads from unverified sources.

Key Rotation

Rotating your Secret Token invalidates the old token immediately. Any requests using the old token will receive a 401 Unauthorized response.

When to rotate:

  • If your Secret Token is accidentally exposed or leaked
  • As part of a regular security audit cycle

How to rotate:

  1. Go to Dashboard → Integrations → Inbound Webhooks
  2. Click Regenerate Token
  3. Update your external systems (Zapier, HubSpot, etc.) with the new token immediately
warning

Update all connected systems with the new token before rotating — existing integrations using the old token will stop working immediately after rotation.

Response Codes

  • 200 OK: call.cancel or call.delete action completed successfully.
  • 201 Created: call.create action successfully queued.
  • 400 Bad Request: Validation error (e.g., invalid phone format).
  • 401 Unauthorized: Invalid token or signature failure.
  • 402 Payment Required: Insufficient credits to trigger the action.
  • 404 Not Found: call.cancel or call.delete — no matching call found.
  • 409 Conflict: call.cancel — call exists but is not in a cancellable state.
  • 429 Too Many Requests: Daily request quota exceeded.