[Bug]: voice-call with Twilio fails when specifying a port in the webhook

[rsteckler]

Summary

voice-call with Twilio requires you provide Twilio a webhook url so Twilio can request instructions about the call and update voice-call with status. When that webhook url contains a port (e.g. https://my.server.com:8443/), the webhook will fail. This is because voice-call tries to verify the x-twilio-signature header with a different algorithm than what Twilio uses. When voice-call sees the signature mis-match, it returns a 401 to Twilio and the call fails.

Steps to reproduce

1. Setup voice-call skill with Twilio
2. Create a Twilio webhook back to voice-call that contains a port (e.g. 80, 443, 8443, 3340)
3. Try to make a call via voice-call skill and note that the Twilio logs show a 401 and the call fails.

Expected behavior

x-twilio-signature verification in voice-call should match the signature provided by Twilio. We should check the signature the exact same way Twilio's official signature verification works by either using the Twilio library or accepting signatures generated with and without the port.

Actual behavior

Twilio generates the signature hash by using a URL without the port specifier. voice-call generates the signature hash with the port. The signatures don't match.

Environment

• Clawdbot version: Openclaw 2026-1-30
• OS: Linux
• Install method (pnpm/npx/docker/etc): pnpm

Logs or screenshots

Line 132 here shows the official Twilio package testing the signature with and without a port.
This line in voice-call just uses the URL as-is without testing with/without the port.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[rcritz]

Additional findings: Twilio is inconsistent between webhook types

We independently hit this same issue and discovered an important detail the original report missed:

Twilio is inconsistent with non-standard ports in signature computation:

• TwiML webhook (Url parameter in the Calls API): Twilio signs WITHOUT the port
• Status callback (StatusCallback parameter): Twilio signs WITH the port

This means simply stripping the port before validation won't fully fix it — you need to try both URL forms.

How we confirmed this

We captured the full POST body and X-Twilio-Signature header from both request types, then computed HMAC-SHA1 signatures against every URL permutation (with/without port, with/without query string). For TwiML webhooks, only the portless URL matched. For status callbacks, only the URL with port matched.

Suggested fix

In verifyTwilioWebhook() in webhook-security.ts, after the initial validateTwilioSignature() fails, try the alternate URL form before rejecting:

// After initial validation fails, try alternate port form
if (options?.publicUrl) {
  try {
    const pubUrl = new URL(options.publicUrl);
    if (pubUrl.port) {
      const altUrl = new URL(verificationUrl);
      if (altUrl.port) {
        altUrl.port = "";           // try WITHOUT port
      } else {
        altUrl.port = pubUrl.port;  // try WITH port
      }
      const altVerificationUrl = altUrl.toString();
      const isValidAlt = validateTwilioSignature(authToken, signature, altVerificationUrl, params);
      if (isValidAlt) {
        return { ok: true, verificationUrl: altVerificationUrl };
      }
    }
  } catch {
    // ignore URL parse errors
  }
}

This is consistent with Twilio's own official library behavior (line 132 in the twilio npm package) which tests both with and without port.

Environment

• OpenClaw 2026.2.9
• Tailscale Funnel on port 8443 (separate from serve on 443 for security)
• Twilio provider with publicUrl: https://host:8443/voice/webhook

Workaround

We patched webhook-security.ts locally — works for both TwiML and status callbacks. The patch gets overwritten on updates, so an upstream fix would be appreciated.

Alternatively, skipSignatureVerification: true in the voice-call config works but is not recommended for production.

[rsteckler]

I did the same - patched to test both with and without. I also submitted a PR, but the PR was rejected as minimally helpful and the bug is marked stale. I empathize with the project owners - there is a LOT happening right now for them.
I created a fixup script I can apply each time I update openclaw - that seems like the most reasonable approach for the medium term.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[rcritz]

Still failing on my end as of OpenClaw 2026.2.22-2.

Setup: Twilio → public Tailscale Funnel on non-standard HTTPS port (:8443). We continue to see webhook signature validation failures when the webhook URL includes an explicit port.

Please keep #6334 open; this is not resolved and it breaks real deployments using Funnel/alternate ports.