VAPI•4mo ago

Phantom X-Vapi-Secret Header Causing 401s Despite Bearer Credential Configured

Here’s the short Discord-ready breakdown you can drop in support:

---

I only have one webhook credential set up — a custom Bearer token — and it’s selected at both my Org and my Phone Number in the Vapi dashboard.

But when calls come in, my server logs show:

[verifyVapi] 401 tails { expectedTail: '25c3', providedTail: '9e40', mode: 'x-secret' }

[verifyVapi] 401 tails { expectedTail: '25c3', providedTail: '9e40', mode: 'x-secret' }

[verifyVapi] 401 tails { expectedTail: '25c3', providedTail: '9e40', mode: 'x-secret' }

[verifyVapi] 401 tails { expectedTail: '25c3', providedTail: '9e40', mode: 'x-secret' }

We also added debug logging on the transient assistants we return, and they have no
server
server
or headers. Example:

[assistant-payload][debug] { server: null, fnServers: [] }

[assistant-payload][debug] { server: null, fnServers: [] }

[assistant-payload][debug] { server: null, fnServers: [] }

[assistant-payload][debug] { server: null, fnServers: [] }

So the only credential configured is Bearer (…25c3), but Vapi is still sending an X-Vapi-Secret …9e40
X-Vapi-Secret …9e40
X-Vapi-Secret …9e40
X-Vapi-Secret …9e40 header on every webhook. That phantom secret doesn’t exist anywhere in our config, so our server rejects it with 401 and transfers fail.

Looks like a leftover legacy
server.secret
server.secret
server.secret
server.secret on our org from before you removed it in May 2025. Can you please clear it so Vapi only uses the Bearer credential we’ve configured?

App:

vocly

vocly

vocly

vocly (Fly.io) #webhooks

Phantom X-Vapi-Secret Header Causing 401s Despite Bearer Credential Configured

Similar Threads

Similar Threads

Similar Threads