Docs / Payload Signing

Payload Signing

Every webhook payload is signed so your service can verify the request before acting on it.

Use the shared secret to calculate an HMAC-SHA256 signature over the request body.

Compare the received signature in constant time to avoid timing attacks.

Rotate secrets periodically and update your endpoint before switching to the new value.