how do I pass cookies into custom tool call?
I want to be able to identify user from cookies token to make sure I'm only retrieving data for a particular user when custom tool is called
VTo securely identify users in your custom tool call, pass the user token as an argument in the tool call payload or as a custom header. On your server, extract the token from the request and use it for user validation. For example, in your Express endpoint:
Set the header in your tool's server config as shown in the Vapi docs.
Sources:
Set the header in your tool's server config as shown in the Vapi docs.
Sources:
⤵️ Mention @Vapi Support Bot for follow-ups 🐥
Y@Duckie how do I pass custom header in from react typescript
VYou cannot set custom headers (like Authorization) dynamically from React/TypeScript using the Vapi Web SDK.
Custom headers for tool calls must be configured in your assistant or tool's server config, for example:
If you need to identify the user, pass the token as an argument in the tool call payload instead, and extract it on your backend.
See Vapi docs for details.
Sources:
Custom headers for tool calls must be configured in your assistant or tool's server config, for example:
If you need to identify the user, pass the token as an argument in the tool call payload instead, and extract it on your backend.
See Vapi docs for details.
Sources:
Y@Duckie I've tried using assistantOverride.variableValues to pass user token in but its not replacing the value in header field?
{
"variableValues": {
"usertoken": "super_secret_token"
}
}
This is the value of header in the tool setup config
Bearer {{usertoken}}
{
"variableValues": {
"usertoken": "super_secret_token"
}
}
This is the value of header in the tool setup config
Bearer {{usertoken}}
VDynamic header value replacement using
Instead, pass the user token as an argument in your tool call payload and extract it on your backend:
Set static headers in your tool config, but use payload arguments for dynamic user data.
See Vapi docs for details.
Sources:
assistantOverride.variableValues is not supported in Vapi. Instead, pass the user token as an argument in your tool call payload and extract it on your backend:
Set static headers in your tool config, but use payload arguments for dynamic user data.
See Vapi docs for details.
Sources:
Y@Kings_big
any idea?
any idea?
EPass the user’s token from cookies into assistantOverrides.toolOverrides as an Authorization header when starting a session, so your custom tool can securely identify and return data only for that authenticated user..
Yis there documentation/example for this?
I'm getting 400 on assistantOverrides.property toolOverrides should not exist
I'm getting 400 on assistantOverrides.property toolOverrides should not exist
KYou can pass the user’s token as an Authorization header via assistantOverrides.credentials not toolOverrides, since toolOverrides isn’t valid. Use assistantOverrides: { credentials: { Authorization: "Bearer <token>" } } when starting a session..
Yare u sure? this isn't valid either
KCould you provide an overview of the implementation and specifically how you are going to pass these cookies to the request? With this context it will give us a better understanding of the data flow and possible solutions
YI'm using the nextjs an starting the session with vapi.start. I'm getting the cookies from browser session and trying to pass that into vapi session so every tool call(specifically our own MCP server) would use this token to identify user and apply row level access
KIf your MCP server uses OAuth2, you could potentially use the webhook integration with assistantOverrides.credentials and pass the dynamic variable into there: https://docs.vapi.ai/api-reference/calls/create#request.body.assistantOverrides.credentials.WebhookCredential
GDo you have an example somewhere how this can be achived? I also need to sign the MCP requests with Bearer token
K- Client-Side Setup (Next.js)
K- API Call Example for Creating a Call
KYour MCP server should be configured to handle OAuth2 authentication and user identification:
KKey Points:
- OAuth2 Flow: Use webhookCredential with oauth2 type for proper authentication flow
- User Context: Pass user identifiers through headers, body parameters, or variable values
- Row-Level Security: Implement access control in your MCP server based on the authenticated user
- Token Validation: Always validate tokens and user permissions on your MCP server
- Dynamic Headers: Use variable substitution for dynamic user-specific values
