Vapi webhook receiver

The AI Services receive Vapi webhooks at:

POST /api/vapi/webhook                    # main webhook (HMAC-SHA256 verified)
POST /api/vapi/webhook/assistant-request  # dynamic assistant config
GET  /api/vapi/webhook/health             # health
GET  /api/vapi/webhook/call/{call_id}     # call state
GET  /api/vapi/webhook/call/{call_id}/transcript  # buffered transcript

Event types

Event	When
`status-update`	Call status change
`transcript`	Transcript chunk available
`function-call`	LLM invoked one of Grace’s functions
`tool-calls`	Tool invocation batch
`end-of-call-report`	Final call summary
`speech-update`	Speaking / silent state
`user-interrupted`	User interrupted assistant
`hang`	Call hung up

Signature verification

Webhook signature: vapi-signature header. Verified using the configured webhook_secret (HMAC-SHA256). Unverified webhooks are rejected.

Outbound webhooks (to your endpoint)

If your tenant has configured a webhook URL on the deployment, Medera sends signed outbound webhooks:

Event	Payload
`intake.started`	`{ call_id, deployment_id, patient_phone }`
`intake.screener.completed`	`{ call_id, screener, score, severity }`
`intake.crisis.detected`	`{ call_id, risk_band, escalation_id }`
`intake.summary.ready`	`{ call_id, handoff_packet_url }`
`intake.completed`	`{ call_id, summary_id, duration_ms }`

Verify with Medera-Signature: sha256=....

List intake calls Grace function calls

⌘I

Documentation Index

​Event types

​Signature verification

​Outbound webhooks (to your endpoint)

Event types

Signature verification

Outbound webhooks (to your endpoint)