Authenticating gRPC Callback Events from Exotel
6 min
when exotel pushes real time call events to your grpc endpoint, you can optionally require authentication so your service only accepts callbacks from exotel this article describes the authentication method supported for exoml programmable voice api grpc callbacks overview exotel acts as the grpc client and invokes your triggercallbackevent method to deliver call events if authentication is enabled for your account, exotel includes credentials on each callback request using http basic auth sent as grpc metadata your grpc server should validate those credentials before processing the event when basic auth is configured on your account, exotel sends the following metadata with every triggercallbackevent request authorization basic \<base64(username\ password)> where username and password are the credentials configured for your account the value is standard http basic auth encoding base64(username + " " + password) sample authentication header sent by exotel on grpc callbacks when basic auth is configured on your account, exotel includes the following grpc metadata on every triggercallbackevent request authorization basic \<base64(username\ password)> example if your configured credentials are username exotel user password exotel pass then exotel forms exotel user\ exotel pass base64 encodes that string sends authorization basic zxhvdgvsx3vzzxi6zxhvdgvsx3bhc3m= your grpc server should read the authorization metadata from the incoming request decode the basic auth value validate the username and password reject the request if credentials are missing or invalid note custom headers such as x exotel token are not supported please validate the standard authorization basic auth header how to enable authentication implement your grpc endpoint using exotel’s shared proto schema, including triggercallbackevent see https //docs exotel com/voice apis/implementing your grpc endpoint for real time call events decide on the username and password (or api key and token) your service will accept share those credentials with exotel support / your exotel contact so they can be configured on your account ensure your grpc server validates the authorization metadata on every callback once configured, exotel automatically attaches basic auth credentials to outbound grpc callback requests for your account behavior when authentication is not configured if basic auth credentials are not configured on your account exotel still pushes events to your public grpc endpoint no authorization metadata is sent in that case, protect your endpoint using tls (required) optional mutual tls (mtls) network allowlisting / firewall rules your own application level validation ip whitelisting in addition to basic auth, we also support ip whitelisting your firewall / security group should allow inbound grpc/tls traffic from the following exotel ip addresses 35 154 174 161 13 233 217 51 98 130 5 99 whitelisting these ips helps ensure that only exotel can reach your grpc callback endpoint security recommendations always run your grpc endpoint over tls (port 443 is standard) prefer enabling basic auth for callback verification whitelist exotel callback source ips consider mtls for stronger client authentication where possible rotate credentials periodically and coordinate the update with exotel reject requests that are missing or have invalid authorization metadata when auth is enabled do not log raw credentials or full authorization headers in plaintext troubleshooting events are reaching your server but auth validation fails confirm you are reading grpc metadata key authorization (lowercase is typical in grpc) confirm you expect basic auth, not a custom token header confirm the username/password match what was shared with exotel confirm there are no extra spaces or encoding issues in your decoder no authorization metadata is present basic auth may not be configured on your exotel account yet contact exotel support to enable callback basic auth credentials for your account
Have a question?
Our super-smart AI, knowledgeable support team and an awesome community will get you an answer in a flash.
To ask a question or participate in discussions, you'll need to authenticate first.
