## Admin Access

All `/admin/*` endpoints require the `X-Admin-Key` header.

Example:

```bash
curl -H "X-Admin-Key: YOUR_ADMIN_API_KEY" \
  "https://your-host.example/admin/calls/recent?limit=20"
```

Environment:

```env
ADMIN_API_KEY=CHANGE_ME_LONG_RANDOM_SECRET
```

## VPBX Webhook Protection

The VPBX webhook must include the shared secret either as a query parameter or header.

Recommended webhook URL:

```text
https://vpbx.n-e.kz/vpbx/webhook?secret=YOUR_VPBX_WEBHOOK_SECRET
```

Alternative header:

```text
X-VPBX-Webhook-Secret: YOUR_VPBX_WEBHOOK_SECRET
```

Environment:

```env
VPBX_WEBHOOK_SECRET=CHANGE_ME_LONG_RANDOM_SECRET
```

## Notes

- Do not expose real secrets in documentation, shell history, screenshots, or logs.
- `/health` remains public and only reports whether security settings are configured.