Webhooks

A webhook can either be a standard webhook or a flexible webhook. With a standard webhook, the request and response fields are defined by Conversational Agents (Dialogflow CX). With a flexible webhook, you define the request and response fields.

Standard webhooks

With standard webhooks, you use Conversational Agents (Dialogflow CX)-defined request and response messages. The request message provides many details about the session. For example, current active page, recent matched intent, session parameter values, and agent-defined responses are all included.

Standard webhook request

When a fulfillment with a webhook is called, Conversational Agents (Dialogflow CX) sends an HTTPS POST webhook request to your webhook service. The body of this request is a WebhookRequest JSON object with information about the session.

Some integrations populate the WebhookRequest.payload field with additional information. For example, the Dialogflow CX Phone Gateway integration provides the end-user caller ID.

See the WebhookRequest(V3) or WebhookRequest(V3Beta1) reference documentation for details.

Standard webhook response

Once your webhook service receives a webhook request, it needs to send a webhook response. The following limitations apply to your response:

• The response must occur within a timeout that you configure when creating the webhook resource, otherwise the request will time out.
• The response must be less than or equal to 64 KiB in size.

See the WebhookResponse(V3) or WebhookResponse(V3Beta1) reference documentation for details.

Standard webhook resource settings

The following describes webhook resource settings for standard webhooks:

Flexible webhooks

With flexible webhooks, you define the request HTTP method, request URL parameters, and fields of the request and response messages. The request can only provide selected parameter values, and the response can only provide parameter override values. This limitation is actually beneficial, because it simplifies the interface between the agent and the webhook. There is rarely a need to communicate anything other than session parameter values between an agent and a webhook. It also simplifies your webhook implementation, because the request and response messages only contain what you need, and you can provide unique webhook messages for various scenarios.

Flexible webhook request

When creating the webhook resource for your agent, you can specify the following for webhook requests:

• The HTTP method used for webhook requests sent to your webhook service.
• Session parameter values that Conversational Agents (Dialogflow CX) should send to your webhook service using the URL.
• If you choose POST, PUT, or PATCH as the method, you can specify session parameter values that Conversational Agents (Dialogflow CX) should send to your webhook service through the request JSON body.

To send session parameter values using the request URL or JSON body, use parameter references as you normally would. You do not need to URL-escape the parameter reference, and you do not wrap the reference in quotations. At runtime, Conversational Agents (Dialogflow CX) will URL-escape the parameter value as needed. A list or composite value will be provided as JSON.

When using a parameter reference in the JSON body, you must wrap the reference in quotations, regardless of the parameter's type. If the parameter is actually a numeric scalar, list, or composite value, Conversational Agents (Dialogflow CX) will remove the quotes when sending the request at runtime to preserve the parameter's datatype. String scalar types will remained quoted. If a numeric scalar, list, or composite value is referenced within a string value (for example: "This is a number: $session.params.size"), the parameter will be treated as a string ("This is a number: 3").

For example, you can provide the fruit and size session parameter values to the request URL like this:

https://your-webhook-service.com/handler?f=$session.params.fruit&s=$session.params.size

And, to the request JSON body like this:

{
  "fruitParameter": "$session.params.fruit",
  "sizeParameter": "$session.params.size"
}

Flexible webhook response

When creating the webhook resource for your agent, you can specify session parameters that Conversational Agents (Dialogflow CX) should set to specific fields of the webhook response at runtime.

The following limitations apply to your response:

• The response must occur within a timeout that you configure when creating the webhook resource, otherwise the request will time out.
• The response must be less than or equal to 64 KiB in size.

Use the following format to specify a scalar, list, or composite field:

$.fully.qualified.path.to.field

For example, consider the following JSON response:

{
  "routes" : [
    {
      "legs" : [
        {
          "distance" : {
            "text" : "2,064 mi",
            "value" : 3321004
          }
        }
      ]
    }
  ]
}

To specify the "value" field, use the following:

$.routes[0].legs[0].distance.value

Flexible webhook resource settings

The following describes webhook resource settings for flexible webhooks:

Use a predefined custom template

Dialogflow offers predefined custom templates that you can use to integrate flexible webhooks with Salesforce CRM.

1. Under the Manage tab, click Webhooks and then + Create.

2. Under Subtype, select Flexible.

3. Click Configure using predefined template to enable the feature.

4. In the Integration type drop-down menu, select Salesforce.

5. In the API name drop-down menu, select an API name. The template automatically fills out the webhook form based on the API name you choose.

   1. You can manually configure the following fields if applicable, based on your parameters:

      • Webhook URL
      • Method
      • Request body JSON
      • Response Configuration

   2. The required OAuth fields will be highlighted in the Authentication section.

6. Click Save to create the webhook.

Webhook service requirements

The following requirements must be met by your webhook service:

• It must handle HTTPS requests. HTTP is not supported. If you host your webhook service on Google Cloud Platform using a Compute or Serverless computing solution, see the product documentation for serving with HTTPS. For other hosting options, see Get an SSL certificate for your domain.
• Its URL for requests must be publicly accessible, unless it is hosted as a Cloud Run resource or it is accessed as a Service directory webhook.
• It must handle requests and responses as described in the standard webhook or flexible webhook section.
• If your agent does not integrate with Service Directory private network access, webhook calls are considered outside the service perimeter and are blocked when enabling VPC Service Controls. Limited endpoints are supported by Service Directory; refer to Service Directory for details.

Authentication

It's important to secure your webhook service, so that only you or your Conversational Agents (Dialogflow CX) agent are authorized to make requests. This is configured when creating or editing a webhook resource. Conversational Agents (Dialogflow CX) supports the following mechanisms for authentication:

Third-party OAuth

Conversational Agents (Dialogflow CX) can collect an access token from a third-party OAuth provider and add it to the authorization HTTP header when making its webhook requests.

The following describes resource settings for third-party OAuth:

Requests sent to the OAuth Endpoint URL to receive a token don't include the custom request headers configured for the webhook request. You can pass custom information to the OAuth server as parameters within the OAuth endpoint URL's query string.

Service agent ID token

Conversational Agents (Dialogflow CX) can generate an ID token using Conversational Agents (Dialogflow CX) service agent.

The token is added in the authorization HTTP header when Conversational Agents (Dialogflow CX) calls a webhook.

An ID token can be used to access Cloud Run resources after you grant Invoker role permissions to

service-agent-project-number@gcp-sa-dialogflow.iam.gserviceaccount.com

The audience used to generate the ID token will be the entire webhook URL except any query parameters. If you are using Cloud Run, make sure this URL is supported by the Cloud Run audiences. For example if the webhook URL is

https://myproject.cloudfunctions.net/my-function/method1?query=value

the following URL needs to be in custom audiences.

https://myproject.cloudfunctions.net/my-function/method1

Any webhook can also optionally validate the token using Google client libraries or open source libraries like github.com/googleapis/google-auth-library-nodejs.

Service Account

Service accounts can be used to authenticate webhook requests to any Google APIs which support it.

If you haven't already, create a service account.

Because service accounts are principals, they can access resources in your project by granting it a role, just like you would for any other principal. The service account email will be used to generate an access token which will be sent in the Authorization header of the webhook request.

The user who is configuring the webhook to use service accounts must have the following permissions:

• roles/iam.serviceAccountUser

In order for Conversational Agents (Dialogflow CX) to generate tokens, the Dialogflow Service Agent must have the following permissions:

• roles/iam.serviceAccountTokenCreator

The service account must also have permissions to access the service that is hosting the webhook.

Secret Manager Authentication

If you use authentication headers, basic auth with username and password, or third-party OAuth, you can store the credentials as secrets using Secret Manager. Here are the necessary steps to authenticate your webhook using secrets:

1. Create your secret if you don't have one already.
2. Grant Dialogflow Service Agent the Secret Manager Secret Accessor (roles/secretmanager.secretAccessor) role on the new secret.
3. Copy your credential into the clipboard.
4. Add a new secret version to your secret. Paste your credential as the secret value.
   • If you use authentication headers, enter Bearer <YOUR_CREDENTIAL>.
   • If you use basic username and password authentication, enter <YOUR_USERNAME>:<YOUR_PASSWORD> instead.
   • Omit any newline character at the end.
5. Copy the name of the secret version you just added. The name format is projects/{project_id}/secrets/{secret_id}/versions/{version_id}".
6. Open the webhook edit screen, then:
   • If you use authentication headers, create a new Secret version request header. Enter "Authorization" as Key, and paste the secret version name to the Secret version input box.
   • If you use basic username and password authentication, click Secret version under Basic Auth and paste the secret version name to the Secret version input box.
   • If you use third-party OAuth, click Secret version under Third-party OAuth and paste the secret version name to the Secret version input box.
7. Click Save.

HTTPS certificate verification

Conversational Agents (Dialogflow CX) by default uses Google's default trust store to verify HTTPS certificates. If you intend to use certificates not recognized by Google's default trust store for your HTTPS server, such as self-signed certificates or custom root certificates, please refer to Custom CA certificates.

Environment-specific webhooks

If you are using environments to isolate production systems from development systems (recommended), you can configure your webhooks to be environment-specific. For each webhook resource you define, you can provide unique URL and authentication settings for each environment that you have defined for the agent.

This allows you to safely develop and test your webhook code updates before deploying them to production.

Create or edit webhook resources

Once you have a webhook service running, you need to create a webhook resource in your agent that has connectivity and authentication information. After creation, you can also edit webhook resource settings at any time.

To create or edit a webhook resource:

Webhook errors

If your webhook service encounters an error while handling a webhook request, your webhook code should return one of the following HTTP status codes:

• 400 Bad Request
• 401 Unauthorized
• 403 Forbidden
• 404 Not found
• 500 Server fault
• 503 Service Unavailable

In any of the following error situations, Conversational Agents (Dialogflow CX) invokes a webhook error or timeout built-in event and continues processing as usual:

• Response timeout exceeded.
• Error status code received.
• Response is invalid.
• Webhook service is unavailable.

In addition, if the webhook service call was triggered by a detect intent API call, the queryResult.webhookStatuses field in the detect intent response contains the webhook status information.

Automatic retries

Conversational Agents (Dialogflow CX) includes internal mechanisms that automatically retry on certain webhook errors to improve robustness. Only non-terminal errors are retried (for example, timeout or connection errors).

To reduce the likelihood of duplicated calls:

• Set longer webhook timeout thresholds.
• Support idempotency in webhook logic or deduplicate.

Using Cloud Run

Conversational Agents (Dialogflow CX) integrates with Cloud Run, so you can create a secure, serverless webhook. If you create a Cloud Run resource that resides in the same project as your agent, select Service Agent Auth -> ID Token in the Auth configuration so that your agent can securely call your webhook.

However, there are two situations in which you must manually set up this integration:

1. The Conversational Agents (Dialogflow CX) Service Agent service account with the following address must exist for your agent project:

   service-agent-project-number@gcp-sa-dialogflow.iam.gserviceaccount.com

   This special service account and the associated key is normally created automatically when you create the first agent for a project. If your agent was created before November 01, 2020, you may trigger creation of this special service account:
   1. Create a new agent for the project.
   2. Execute the following command:

      gcloud beta services identity create --service=dialogflow.googleapis.com --project=agent-project-id

2. If your webhook function resides in a different project than the agent, you must provide the Cloud Run Invoker or Cloud Functions Invoker IAM role to the Conversational Agents (Dialogflow CX) Service Agent service account in your Cloud Run resource's project.
3. Select Service Agent Auth -> ID Token in the Auth configuration section.

Using containerized webhooks and the Go ezcx framework

If you would like to implement a containerized webhook using Go, see the Go ezcx framework. This framework can simplify many of the steps required when creating a webhook.

Using Cloud Run with internal only traffic

Cloud Run resources that are set up to accept internal traffic from VPC networks in the same project or the same VPC Service Controls perimeter can be used as a webhook as long as the agent is in the same project or the same VPC Service Controls perimeter.

Using Service Directory for private network access

Conversational Agents (Dialogflow CX) integrates with Service Directory private network access, so it can connect to webhook targets inside your VPC network. This keeps the traffic within the Google Cloud network and enforces IAM and VPC Service Controls.

To set up a webhook targeting a private network:

1. Follow Service Directory private network configuration to configure your VPC network and Service Directory endpoint.

2. The Conversational Agents (Dialogflow CX) Service Agent service account with the following address must exist for your agent project:

   service-agent-project-number@gcp-sa-dialogflow.iam.gserviceaccount.com

   Grant the following roles to Conversational Agents (Dialogflow CX) Service Agent service account in the project where your Service Directory is located:

   • servicedirectory.viewer
   • servicedirectory.pscAuthorizedService

   Additionally, if your Service Directory is in a different project than your Dialogflow CX agent, you also need to grant the servicedirectory.viewer role to the Conversational Agents (Dialogflow CX) Service Agent account in the project that hosts your Dialogflow CX agent.

3. Provide Service Directory Service along with the URL and optional authentication information when creating the webhook.

   Console

   

   API

   See the serviceDirectory field for the Webhook type. Go to the Webhook API reference

   Select a protocol and version for the Webhook reference:

   Protocol	V3	V3beta1
   REST	Webhook resource	Webhook resource
   RPC	Webhook interface	Webhook interface
   C++	WebhooksClient	Not available
   C#	WebhooksClient	Not available
   Go	WebhooksClient	Not available
   Java	WebhooksClient	WebhooksClient
   Node.js	WebhooksClient	WebhooksClient
   PHP	Not available	Not available
   Python	WebhooksClient	WebhooksClient
   Ruby	Not available	Not available

   Close

To troubleshoot issues, you can set up a private uptime check to check that your Service Directory is correctly configured.

Samples and troubleshooting

See the webhook how-to guide.