Signature Verification

Verify event authenticity before processing external requests.

Verify HMAC signatures using your integration secret and the raw request body.

Reject requests outside accepted timestamp skew windows to limit replay attacks.

Rotate signing secrets on a regular schedule and after incident response events.