Stay organized with collections
Save and categorize content based on your preferences.
The network traffic initiated by Dialogflow for webhook requests
is sent on a public network.
To ensure that traffic is both secure and trusted in both directions,
Dialogflow optionally supports
Mutual TLS authentication (mTLS).
During Dialogflow's standard TLS handshake,
your webhook server presents a certificate that can be validated by Dialogflow,
either by following the Certificate Authority chain
or by comparing the certificate to a Custom CA certificate.
By enabling mTLS on your webhook server, it will be able to authenticate
the Google certificate presented by Dialogflow
to your webhook server for validation, completing the establishment of mutual
trust.
Requesting mTLS
To request mTLS:
Prepare your webhook HTTPS server to request the client certificate
during the TLS handshake.
Your webhook server should verify the client certificate upon receiving it.
Install a certificate chain for your webhook server,
which can be mutually trusted by both client and server.
Applications connecting to Google services
should trust all the Certificate Authorities listed by
Google Trust Services.
You can download root certs from:
https://pki.goog/.
Sample call to a webhook server using mTLS
This example uses the agent shown in the quickstart with a
webhook server
running
openssl.
Sample setup
A Dialogflow ES agent that greets the end user and queries a
webhook pointing to a standalone web server.
A private key for TLS communication in a file named
key.pem.
A request is sent to the agent from a client machine. For this example, the request is
"Hi". This request can be sent using the Dialogflow Console, or
through an API call.
To make sure that webhook requests are initiated from your own Dialogflow agents,
you should verify the Bearer
service identity token
from the request's Authorization header. Alternatively, you can verify a session
parameter provided previously by an authentication server on your side.
Errors
If the client certificate validation fails
(for example, the webhook server does not trust the client certificate),
the TLS handshake fails and the session terminates.
Common error messages:
Error message
Explanation
Failed to verify client's certificate: x509: certificate signed by unknown authority
Dialogflow sends its client certificate to the external webhook, but the external webhook cannot verify it. This may be because the external webhook didn't install the CA chain correctly. All root CAs from Google should be trusted.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eDialogflow supports Mutual TLS (mTLS) authentication to secure and verify network traffic for webhook requests.\u003c/p\u003e\n"],["\u003cp\u003eEnabling mTLS allows your webhook server to authenticate the Google certificate presented by Dialogflow, establishing mutual trust.\u003c/p\u003e\n"],["\u003cp\u003eTo implement mTLS, your webhook HTTPS server must request and verify the client certificate during the TLS handshake, and have a trusted certificate chain installed.\u003c/p\u003e\n"],["\u003cp\u003eYou can verify the origin of webhook requests by validating the Bearer service identity token or a session parameter.\u003c/p\u003e\n"],["\u003cp\u003eIf client certificate validation fails during the TLS handshake, the connection will be terminated, likely due to the webhook server not trusting the Dialogflow certificate.\u003c/p\u003e\n"]]],[],null,["# Mutual TLS authentication\n\nThe network traffic initiated by Dialogflow for webhook requests\nis sent on a public network.\nTo ensure that traffic is both secure and trusted in both directions,\nDialogflow optionally supports\n[Mutual TLS authentication (mTLS)](https://en.wikipedia.org/wiki/Mutual_authentication).\nDuring Dialogflow's standard [TLS handshake](https://hpbn.co/transport-layer-security-tls/#tls-handshake),\nyour webhook server presents a certificate that can be validated by Dialogflow,\neither by following the [Certificate Authority chain](https://hpbn.co/transport-layer-security-tls/#chain-of-trust-and-certificate-authorities)\nor by comparing the certificate to a [Custom CA certificate](/dialogflow/cx/docs/concept/custom-ca).\nBy enabling mTLS on your webhook server, it will be able to authenticate\nthe [Google certificate](https://pki.goog/roots.pem) presented by Dialogflow\nto your webhook server for validation, completing the establishment of mutual\ntrust.\n\nRequesting mTLS\n---------------\n\nTo request mTLS:\n\n1. Prepare your webhook HTTPS server to request the client certificate during the TLS handshake.\n2. Your webhook server should verify the client certificate upon receiving it.\n3. Install a certificate chain for your webhook server, which can be mutually trusted by both client and server. Applications connecting to Google services should trust all the Certificate Authorities listed by [Google Trust Services](https://pki.goog/faq/#faq-27). You can download root certs from: \u003chttps://pki.goog/\u003e.\n\nSample call to a webhook server using mTLS\n------------------------------------------\n\nThis example uses the agent shown in the quickstart with a\n[webhook](/dialogflow/cx/docs/concept/webhook) server\nrunning\n[`openssl`](https://www.openssl.org/docs/manmaster/man1/openssl.html).\n\n1. Sample setup\n 1. A Dialogflow ES agent that greets the end user and queries a webhook pointing to a standalone web server.\n 2. A private key for TLS communication in a file named `key.pem`.\n 3. A certificate chain signed by a [publicly-trusted\n CA (Certificate Authority)](/load-balancing/docs/ssl-certificates/self-managed-certs#use_a_publicly-trusted_ca) in a file named `fullchain.pem`.\n2. Execute the [`openssl s_server`](https://www.openssl.org/docs/manmaster/man1/openssl-s_server.html) program in the server machine. \n\n ```console\n sudo openssl s_server -key key.pem -cert fullchain.pem -accept 443 -verify 1\n ```\n3. A request is sent to the agent from a client machine. For this example, the request is \"Hi\". This request can be sent using the Dialogflow Console, or through an API call.\n4. Output of [`openssl s_server`](https://www.openssl.org/docs/manmaster/man1/openssl-s_server.html) in the server machine. \n\n ```\n verify depth is 1\n Using default temp DH parameters\n ACCEPT\n depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1\n verify return:1\n depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4\n verify return:1\n depth=0 CN = *.dialogflow.com\n verify return:1\n -----BEGIN SSL SESSION PARAMETERS-----\n MII...\n -----END SSL SESSION PARAMETERS-----\n Client certificate\n -----BEGIN CERTIFICATE-----\n MII...\n -----END CERTIFICATE-----\n subject=CN = *.dialogflow.com\n\n issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4\n\n Shared ciphers:TLS_AES_128_GCM_SHA256:...\n Signature Algorithms: ECDSA+SHA256:...\n Shared Signature Algorithms: ECDSA+SHA256:...\n Peer signing digest: SHA256\n Peer signature type: RSA-PSS\n Supported Elliptic Groups: 0x6A6A:...\n Shared Elliptic groups: X25519:...\n CIPHER is TLS_AES_128_GCM_SHA256\n Secure Renegotiation IS NOT supported\n POST /dialogflowFulfillment HTTP/1.1\n authorization: Bearer ey...\n content-type: application/json\n Host: www.example.com\n Content-Length: 1011\n Connection: keep-alive\n Accept: */*\n User-Agent: Google-Dialogflow\n Accept-Encoding: gzip, deflate, br\n\n {\n \"responseId\": \"96c0029a-149d-4f5d-b225-0b0bb0f0c8d9-afbcf665\",\n \"queryResult\": {\n \"queryText\": \"Hi\",\n \"action\": \"input.welcome\",\n \"parameters\": {\n },\n \"allRequiredParamsPresent\": true,\n \"outputContexts\": [{\n \"name\": \"projects/PROJECT-ID/agent/sessions/58ab33f3-b57a-aae9-fb23-8306242d4871/contexts/__system_counters__\",\n \"parameters\": {\n \"no-input\": 0.0,\n \"no-match\": 0.0\n }\n }],\n \"intent\": {\n \"name\": \"projects/PROJECT-ID/agent/intents/399277d6-2ed7-4329-840d-8baa0f60480e\",\n \"displayName\": \"Default Welcome Intent\"\n },\n \"intentDetectionConfidence\": 1.0,\n \"languageCode\": \"en\",\n \"sentimentAnalysisResult\": {\n \"queryTextSentiment\": {\n \"score\": 0.2,\n \"magnitude\": 0.2\n }\n }\n },\n \"originalDetectIntentRequest\": {\n \"source\": \"DIALOGFLOW_CONSOLE\",\n \"payload\": {\n }\n },\n \"session\": \"projects/PROJECT-ID/agent/sessions/58ab33f3-b57a-aae9-fb23-8306242d4871\"\n }ERROR\n shutting down SSL\n CONNECTION CLOSED\n \n ```\n\nBest Practice\n-------------\n\nTo make sure that webhook requests are initiated from your own Dialogflow agents,\nyou should verify the Bearer\n[service identity token](/dialogflow/cx/docs/concept/webhook#id-token)\nfrom the request's Authorization header. Alternatively, you can verify a session\nparameter provided previously by an authentication server on your side.\n\nErrors\n------\n\nIf the client certificate validation fails\n(for example, the webhook server does not trust the client certificate),\nthe TLS handshake fails and the session terminates.\n\nCommon error messages:"]]
