Payload Signing
Every webhook payload is signed so your service can verify the request before acting on it.
Use the shared secret to calculate an HMAC-SHA256 signature over the request body.
Compare the received signature in constant time to avoid timing attacks.
Rotate secrets periodically and update your endpoint before switching to the new value.