Webhook signing secrets for payload verification

Your webhooks can now include a signing secret so every delivery is cryptographically signed.

Until now, there was no built-in way to confirm that an incoming payload actually originated from TheirStack—your endpoint had to rely on source IP or URL alone.

Set a signing secret (minimum 16 characters) and every delivery will carry an X-TheirStack-Signature-256 header containing the HMAC-SHA256 signature of the raw payload. Recompute the HMAC on your side and compare to confirm authenticity and integrity.

In practice:

• Payload authenticity — Know for certain each delivery was sent by TheirStack, not a third party.
• Tamper detection — Any modification to the payload in transit will cause the signature check to fail.
• One-click setup — Generate a secret directly in the webhook form, or bring your own. Also available via the webhooks API.

See the verification guide for code examples and step-by-step instructions.