All requests made by Plivo to your server URLs consist of a X-Plivo-Signature-V2, X-Plivo-Signature-Ma-V2, and X-Plivo-Signature-V2-Nonce HTTP headers. To validate the request and to verify that the request to your server has originated from Plivo, you must generate the signature at your end and compare it with X-Plivo-Signature-V2 or X-Plivo-Signature-Ma-V2 parameter in the HTTP header and check whether they are identical.

Note that X-Plivo-Signature-V2 is generated using the Auth Token of the associated Main Account or Sub-Account. To validate using X-Plivo-Signature-V2, you must generate the signature at your end using the same Main/Sub-Account.

If you’d like to validate using the Main Account Auth Token always, validate using the X-Plivo-Signature-Ma-V2 request header as it is always generated using the Main Account’s Auth Token.

Generating and Validating the Signature

You can generate the signature by calculating the Keyed-Hash Message Authentication Code (HMAC) with the following parameters:

  • Key - Your Plivo Auth Token
  • Message - Base URI appended with X-Plivo-Signature-V2-Nonce.
  • Hashing Function - SHA256

For example, if the base URI is “” and X-Plivo-Signature-V2-Nonce is “05429567804466091622”, the message will be “”

Validating signatures using the latest server-side SDKs