Skip to main content
This guide walks you through obtaining all required credentials for the Vapi plugin.

Authentication Method

The Vapi plugin uses API key authentication.
  • api_key (default) - API key authentication

API Key Setup

Step 1: Get API Key

  1. Log in to your Vapi dashboard
  2. Click on your account name in the top-right corner
  3. Go to OrganizationAPI Keys
  4. Click Create API Key
  5. Give your key a name (e.g., “Corsair Integration”)
  6. Copy the API key immediately
  7. Important: Store the key securely — you won’t be able to see it again
Storing Credentials: The preferred method is to store the API key in the database using the keys API: 
await corsair
    .withTenant('default')
    .vapi.keys.setApiKey('your-api-key');
Alternatively, you can provide the key directly in the plugin configuration:
corsair.ts
vapi({
    key: process.env.VAPI_API_KEY,
})
Or store it with the Corsair CLI: 
pnpm corsair setup --plugin=vapi api_key=your-api-key

Webhook Secret

Vapi uses a shared secret header (x-vapi-secret) rather than an HMAC signature. You choose the secret value and configure it in both your Vapi server URL settings and Corsair.

Step 1: Configure Webhook URL in Vapi

  1. In the Vapi dashboard, go to SettingsWebhooks (or configure per-assistant via serverUrl)
  2. Set the Server URL to your webhook endpoint (e.g., https://yourapp.com/api/webhook)
  3. Set the Server URL Secret to a strong random string — this is the shared secret Vapi will send as the x-vapi-secret header on every request

Step 2: Store the Secret in Corsair

Preferred method — store in the database: 
await corsair
    .withTenant('default')
    .vapi.keys.setWebhookSignature('your-webhook-secret');
Or pass it directly in the plugin configuration:
corsair.ts
vapi({
    webhookSecret: process.env.VAPI_WEBHOOK_SECRET,
})
Or use the CLI: 
pnpm corsair setup --plugin=vapi webhook_signature=your-webhook-secret

Required Credentials Summary

CredentialRequired ForWhere to Find
API KeyAPI callsDashboard → Organization → API Keys
Webhook SecretIncoming webhooksYour own value — set in Vapi’s Server URL Secret field
For general information about how Corsair handles authentication, see Authentication.