Question:
How do we verify that a webhook actually came from the provider and not from an attacker? (HMAC signature, mTLS certificate, IP allowlist, etc.)
Answer:
HMAC-SHA256 signature in the Webhook-Signature header, formatted t=<unix>,v1=<hex>, computed over <timestamp>.<raw-body> using a unique per-endpoint signing secret (encrypted at rest, rotatable). The timestamp guards against replay; verify server-side before processing. Each delivery carries a stable id for idempotent retry handling. Delivery is SSRF-guarded; source-IP details available on request.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article