Some products and features are in the process of being renamed. Generative playbook and flow features are also being migrated to a single consolidated console. See the details.
Stay organized with collections
Save and categorize content based on your preferences.
The network traffic initiated by Dialogflow for webhook requests
is sent on a public network.
To ensure that traffic is both secure and trusted in both directions,
Dialogflow optionally supports
Mutual TLS authentication (mTLS).
During Dialogflow's standard TLS handshake,
your webhook server presents a certificate that can be validated by Dialogflow,
either by following the Certificate Authority chain
or by comparing the certificate to a Custom CA certificate.
By enabling mTLS on your webhook server, it will be able to authenticate
the Google certificate presented by Dialogflow
to your webhook server for validation, completing the establishment of mutual
trust.
Requesting mTLS
To request mTLS:
Prepare your webhook HTTPS server to request the client certificate
during the TLS handshake.
Your webhook server should verify the client certificate upon receiving it.
Install a certificate chain for your webhook server,
which can be mutually trusted by both client and server.
Applications connecting to Google services
should trust all the Certificate Authorities listed by
Google Trust Services.
You can download root certs from:
https://pki.goog/.
Sample call to a webhook server using mTLS
This example uses the agent shown in the quickstart with a
webhook server
running
openssl.
Sample setup
A Dialogflow CX agent that takes shirt orders, and sends them to a
webhook pointing to a standalone web server.
A private key for TLS communication in a file named
key.pem.
A request is sent to the agent from a client machine. For this example, the request is
"I want to buy a large red shirt". This request can be sent using the
Dialogflow Console, or through an API call.
Output of openssl s_server in the server machine.
verify depth is 1
Using default temp DH parameters
ACCEPT
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
verify return:1
depth=0 CN = *.dialogflow.com
verify return:1
-----BEGIN SSL SESSION PARAMETERS-----
MII...
-----END SSL SESSION PARAMETERS-----
Client certificate
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
subject=CN = *.dialogflow.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
Shared ciphers:TLS_AES_128_GCM_SHA256:...
Signature Algorithms: ECDSA+SHA256:...
Shared Signature Algorithms: ECDSA+SHA256:...
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Supported Elliptic Groups: 0xEAEA:...
Shared Elliptic groups: X25519:...
CIPHER is TLS_AES_128_GCM_SHA256
Secure Renegotiation IS NOT supported
POST /shirts-agent-webhook HTTP/1.1
authorization: Bearer ey...
content-type: application/json
Host: www.example.com
Content-Length: 1595
Connection: keep-alive
Accept: */*
User-Agent: Google-Dialogflow
Accept-Encoding: gzip, deflate, br
{
"detectIntentResponseId": "a7951ce2-2f00-4af5-a508-4c2cb45698b0",
"intentInfo": {
"lastMatchedIntent": "projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/intents/0adebb70-a727-4687-b8bc-fbbc2ac0b665",
"parameters": {
"color": {
"originalValue": "red",
"resolvedValue": "red"
},
"size": {
"originalValue": "large",
"resolvedValue": "large"
}
},
"displayName": "order.new",
"confidence": 0.9978873
},
"pageInfo": {
"currentPage": "projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/flows/00000000-0000-0000-0000-000000000000/pages/06e6fc4d-c2f2-4830-ab57-7a318f20fd90",
"displayName": "Order Confirmation"
},
"sessionInfo": {
"session": "projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/sessions/session-test-001",
"parameters": {
"color": "red",
"size": "large"
}
},
"fulfillmentInfo": {
"tag": "confirm"
},
"messages": [{
"text": {
"text": ["Ok, let\u0027s start a new order."],
"redactedText": ["Ok, let\u0027s start a new order."]
},
"responseType": "ENTRY_PROMPT",
"source": "VIRTUAL_AGENT"
}, {
"text": {
"text": ["You have selected a large, red shirt."],
"redactedText": ["You have selected a large, red shirt."]
},
"responseType": "HANDLER_PROMPT",
"source": "VIRTUAL_AGENT"
}],
"text": "I want to buy a large red shirt",
"languageCode": "en"
}ERROR
shutting down SSL
CONNECTION CLOSED
Custom Client Certificate
Custom client certificates can be configured at an agent level to be used by all
webhooks. At the time of webhook invocation, the configured certificates will be
presented during the handshake.
The private key and passphrase are configured as a Secret Manager
resource. The Dialogflow service agent will need to be given Secret
Manager Secret Accessor permissions to the secret.
The client certificates need to be signed by a Certificate Authority for the
handshake to be successful.
Best Practice
To make sure that webhook requests are initiated from your own Dialogflow agents,
you should verify the Bearer
service identity token
from the request's Authorization header. Alternatively, you can verify a session
parameter provided previously by an authentication server on your side.
Errors
If the client certificate validation fails
(for example, the webhook server does not trust the client certificate),
the TLS handshake fails and the session terminates.
Common error messages:
Error message
Explanation
Failed to verify client's certificate: x509: certificate signed by unknown authority
Dialogflow sends its client certificate to the external webhook, but the external webhook cannot verify it. This may be because the external webhook didn't install the CA chain correctly. All root CAs from Google should be trusted.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eDialogflow webhook requests travel over a public network, but Mutual TLS (mTLS) can be enabled to secure and authenticate traffic in both directions.\u003c/p\u003e\n"],["\u003cp\u003eEnabling mTLS on your webhook server allows it to validate the Google certificate presented by Dialogflow, establishing mutual trust between the two systems.\u003c/p\u003e\n"],["\u003cp\u003eTo use mTLS, the webhook server must be configured to request and verify the client certificate during the TLS handshake, and use a trusted certificate chain.\u003c/p\u003e\n"],["\u003cp\u003eDialogflow agents can be configured with custom client certificates that are presented during the mTLS handshake with the webhook, which need to be signed by a Certificate Authority.\u003c/p\u003e\n"],["\u003cp\u003eTo ensure the webhook requests are initiated from your Dialogflow agent, verify the Bearer service identity token, or a session parameter provided by your authentication server.\u003c/p\u003e\n"]]],[],null,["# Mutual TLS authentication\n\nThe network traffic initiated by Dialogflow for webhook requests\nis sent on a public network.\nTo ensure that traffic is both secure and trusted in both directions,\nDialogflow optionally supports\n[Mutual TLS authentication (mTLS)](https://en.wikipedia.org/wiki/Mutual_authentication).\nDuring Dialogflow's standard [TLS handshake](https://hpbn.co/transport-layer-security-tls/#tls-handshake),\nyour webhook server presents a certificate that can be validated by Dialogflow,\neither by following the [Certificate Authority chain](https://hpbn.co/transport-layer-security-tls/#chain-of-trust-and-certificate-authorities)\nor by comparing the certificate to a [Custom CA certificate](/dialogflow/cx/docs/concept/custom-ca).\nBy enabling mTLS on your webhook server, it will be able to authenticate\nthe [Google certificate](https://pki.goog/roots.pem) presented by Dialogflow\nto your webhook server for validation, completing the establishment of mutual\ntrust.\n\nRequesting mTLS\n---------------\n\nTo request mTLS:\n\n1. Prepare your webhook HTTPS server to request the client certificate during the TLS handshake.\n2. Your webhook server should verify the client certificate upon receiving it.\n3. Install a certificate chain for your webhook server, which can be mutually trusted by both client and server. Applications connecting to Google services should trust all the Certificate Authorities listed by [Google Trust Services](https://pki.goog/faq/#faq-27). You can download root certs from: \u003chttps://pki.goog/\u003e.\n\nSample call to a webhook server using mTLS\n------------------------------------------\n\nThis example uses the agent shown in the quickstart with a\n[webhook](/dialogflow/cx/docs/concept/webhook) server\nrunning\n[`openssl`](https://www.openssl.org/docs/manmaster/man1/openssl.html).\n\n1. Sample setup\n 1. A Dialogflow CX agent that takes shirt orders, and sends them to a webhook pointing to a standalone web server.\n 2. A private key for TLS communication in a file named `key.pem`.\n 3. A certificate chain signed by a [publicly-trusted\n CA (Certificate Authority)](/load-balancing/docs/ssl-certificates/self-managed-certs#use_a_publicly-trusted_ca) in a file named `fullchain.pem`.\n2. Execute the [`openssl s_server`](https://www.openssl.org/docs/manmaster/man1/openssl-s_server.html) program in the server machine. \n\n ```console\n sudo openssl s_server -key key.pem -cert fullchain.pem -accept 443 -verify 1\n ```\n3. A request is sent to the agent from a client machine. For this example, the request is \"I want to buy a large red shirt\". This request can be sent using the Dialogflow Console, or through an API call.\n4. Output of `openssl s_server` in the server machine. \n\n ```\n verify depth is 1\n Using default temp DH parameters\n ACCEPT\n depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1\n verify return:1\n depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4\n verify return:1\n depth=0 CN = *.dialogflow.com\n verify return:1\n -----BEGIN SSL SESSION PARAMETERS-----\n MII...\n -----END SSL SESSION PARAMETERS-----\n Client certificate\n -----BEGIN CERTIFICATE-----\n MII...\n -----END CERTIFICATE-----\n subject=CN = *.dialogflow.com\n\n issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4\n\n Shared ciphers:TLS_AES_128_GCM_SHA256:...\n Signature Algorithms: ECDSA+SHA256:...\n Shared Signature Algorithms: ECDSA+SHA256:...\n Peer signing digest: SHA256\n Peer signature type: RSA-PSS\n Supported Elliptic Groups: 0xEAEA:...\n Shared Elliptic groups: X25519:...\n CIPHER is TLS_AES_128_GCM_SHA256\n Secure Renegotiation IS NOT supported\n POST /shirts-agent-webhook HTTP/1.1\n authorization: Bearer ey...\n content-type: application/json\n Host: www.example.com\n Content-Length: 1595\n Connection: keep-alive\n Accept: */*\n User-Agent: Google-Dialogflow\n Accept-Encoding: gzip, deflate, br\n\n {\n \"detectIntentResponseId\": \"a7951ce2-2f00-4af5-a508-4c2cb45698b0\",\n \"intentInfo\": {\n \"lastMatchedIntent\": \"projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/intents/0adebb70-a727-4687-b8bc-fbbc2ac0b665\",\n \"parameters\": {\n \"color\": {\n \"originalValue\": \"red\",\n \"resolvedValue\": \"red\"\n },\n \"size\": {\n \"originalValue\": \"large\",\n \"resolvedValue\": \"large\"\n }\n },\n \"displayName\": \"order.new\",\n \"confidence\": 0.9978873\n },\n \"pageInfo\": {\n \"currentPage\": \"projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/flows/00000000-0000-0000-0000-000000000000/pages/06e6fc4d-c2f2-4830-ab57-7a318f20fd90\",\n \"displayName\": \"Order Confirmation\"\n },\n \"sessionInfo\": {\n \"session\": \"projects/PROJECT_ID/locations/REGION/agents/AGENT_ID/sessions/session-test-001\",\n \"parameters\": {\n \"color\": \"red\",\n \"size\": \"large\"\n }\n },\n \"fulfillmentInfo\": {\n \"tag\": \"confirm\"\n },\n \"messages\": [{\n \"text\": {\n \"text\": [\"Ok, let\\u0027s start a new order.\"],\n \"redactedText\": [\"Ok, let\\u0027s start a new order.\"]\n },\n \"responseType\": \"ENTRY_PROMPT\",\n \"source\": \"VIRTUAL_AGENT\"\n }, {\n \"text\": {\n \"text\": [\"You have selected a large, red shirt.\"],\n \"redactedText\": [\"You have selected a large, red shirt.\"]\n },\n \"responseType\": \"HANDLER_PROMPT\",\n \"source\": \"VIRTUAL_AGENT\"\n }],\n \"text\": \"I want to buy a large red shirt\",\n \"languageCode\": \"en\"\n }ERROR\n shutting down SSL\n CONNECTION CLOSED\n \n ```\n\nCustom Client Certificate\n-------------------------\n\nCustom client certificates can be configured at an agent level to be used by all\nwebhooks. At the time of webhook invocation, the configured certificates will be\npresented during the handshake.\n\nThe private key and passphrase are configured as a Secret Manager\nresource. The Dialogflow service agent will need to be given Secret\nManager Secret Accessor permissions to the secret.\n\nThe client certificates need to be signed by a Certificate Authority for the\nhandshake to be successful.\n\n\nBest Practice\n-------------\n\nTo make sure that webhook requests are initiated from your own Dialogflow agents,\nyou should verify the Bearer\n[service identity token](/dialogflow/cx/docs/concept/webhook#id-token)\nfrom the request's Authorization header. Alternatively, you can verify a session\nparameter provided previously by an authentication server on your side.\n\nErrors\n------\n\nIf the client certificate validation fails\n(for example, the webhook server does not trust the client certificate),\nthe TLS handshake fails and the session terminates.\n\nCommon error messages:"]]
