- What: Verify that incoming webhook requests genuinely came from Plivo and weren’t tampered with, using HMAC-SHA256 signatures
- How: Extract
X-Plivo-Signature-V3+X-Plivo-Signature-V3-Nonceheaders, concatenate URL + sorted POST params + nonce, sign with your Auth Token, compare. All Plivo SDKs have built-in validation helpers. - Note: If your account has multiple auth tokens, Plivo sends comma-separated signatures for each. Validate against all
- Migration: V2 signatures are deprecated. Migrate to V3 for improved security
Signature generation logic
Plivo signs all HTTP requests from its servers to your application server, and assembles the request to your application server by concatenating the final request URL (the full URL with the scheme, port, and query string) and any POST parameters.- If your request is a POST, Plivo will take all the POST parameters, sort them alphabetically by name (using Unix-style case-sensitive sorting), and append the parameter name and value pairs to the end of the URL.
- If the request is a GET, the final request URL will include all of Plivo’s request parameters appended to the query string of your original URL.
Example:
If your application URL is https://example.com/abcd?foo=bar and the list of Plivo POST parameters is:Concatenating with nonce value
The assembled request string from this step is then appended with a randomly generated nonce string that’s unique for every request. This string is passed separately in the HTTP header X-Plivo-Signature-V3-Nonce as part of the HTTP request to your application URL.Example:
If the randomly generated nonce value isSigning with Auth Token
The output of this step is then signed using HMAC-SHA256 and your Plivo Auth Token as the key. The resulting signed hashes are Base64-encoded and passed in HTTP headers with the request. X-Plivo-Signature-V3 is generated using the Auth Token of the account or subaccount associated with the request entity. For example, if the request is for an incoming call to a Plivo phone number mapped to one of your subaccounts, then that subaccount’s Auth Token will be used when generating X-Plivo-Signature-V3. X-Plivo-Signature-Ma-V3, on the other hand, is always generated using the Auth Token of your main Plivo account.Note: If you have more than one active Auth Token for the associated account or subaccount, Plivo will generate a signature using each of the active Auth Tokens and pass a comma-separated list of the resulting signatures to the application server (for example, X-Plivo-Signature-Ma-V3: <Signature signed with Token 1>,<Signature signed with Token 2>).