In accordance with best-practice webhook security protocols, we've implemented webhook signature headers. When you are issued an API access token, we can also generate a webhook secret that you can use to verify that event payloads haven't been corrupted.

This feature is optional, and no signature is included unless a webhook secret has been configured. However, we strongly encourage you to use this functionality, and all new API tokens will be issued with a webhook secret.

Here's how to verify the signatures:

Retrieve the signature from the X-Hub-Signature-256 header.
Determine the expected signature by computing an HMAC with the SHA256 hash function. Use your webhook secret as the key, and use the raw request body as the message. (This should be a string, not the parsed JSON.)
Compare the signatures.