Click-to-call

Drop a “Call me now” button on any website or CRM. A visitor enters their number and Voxy immediately originates an outbound call from your configured agent — a callback in seconds, no phone system on your side.

Set up a button

In Workspace → Integrations, create a click-to-call source. Choose the agent that will place callbacks and add every website origin allowed to use the button. The source’s id is your button token — paste it into the snippet below.

Install the snippet

Paste this before the closing </body> tag. The loader is ES5, never throws into your page, and leaks no globals beyond window.VoxyClickToCall.

<script
  src="https://voxyhq.com/click-to-call.js"
  data-voxy-token="01ABCDEFGHJKMNPQRSTVWXYZ00"
  data-voxy-label="Call me now"
  async
></script>

Programmatic use

Prefer your own button? Call the loader’s API directly — it returns a promise that never rejects.

// Already loaded the script? Originate a callback from your own button.
const result = await window.VoxyClickToCall.requestCall({
  token: '01ABCDEFGHJKMNPQRSTVWXYZ00',
  phone: '+13125550100',         // visitor callback number, E.164
  name:  'Jess Rivera',          // optional, shown to the agent
  requestId: 'lead-4821',        // optional idempotency hint
});
// -> { ok: true, callId } | { ok: false, error }

Allowed origins

The button only works on origins you allowlist on the source. The server re-checks the request Origin header against that list and rejects mismatches with 403 — possession of the token alone is not enough.

The public API

The loader posts to one public endpoint. It is throttled per-IP and honours Idempotency-Key so a double-clicked button never places two calls.

# The loader posts to this public endpoint. No API key — the token is the
# capability and the embedding origin is re-validated server-side.
curl -X POST https://voxyhq.com/v1/public/click-to-call/01ABCDEFGHJKMNPQRSTVWXYZ00 \
  -H 'origin: https://shop.example.com' \
  -H 'content-type: application/json' \
  -H 'idempotency-key: lead-4821' \
  -d '{ "origin": "https://shop.example.com", "phone": "+13125550100", "name": "Jess" }'
# -> 202 { "success": true, "data": { "status": "queued", "callId": "01CALL…" } }

Security model

• The token grants exactly one capability: originate a callback from the configured agent. It cannot read data or reach any other surface.
• Origin is validated server-side and must match the Origin header — a forged body origin is rejected.
• Callbacks respect your workspace DNC list and the global hard-block list. See rate limits for the per-IP budget.