In accordance with best-practice webhook security protocols, we've implemented webhook signature headers. When you are issued an API access token, we can also generate a webhook secret that you can use to verify that event payloads haven't been corrupted.
This feature is optional, and no signature is included unless a webhook secret has been configured. However, we strongly encourage you to use this functionality, and all new API tokens will be issued with a webhook secret.
Here's how to verify the signatures:
- Retrieve the signature from the X-Hub-Signature-256 header.
- Determine the expected signature by computing an HMAC with the SHA256 hash function. Use your webhook secret as the key, and use the request's JSON payload as the message.
- Compare the signatures.