Why verify

Webhook signatures protect you from spoofed callbacks.

How to verify

  1. Retrieve the signature header sent with the callback
  2. Compute your own signature using the shared secret
  3. Compare calculated vs received values