Security

Webhook endpoints are public by design, so they need careful handling.

Always verify signatures

Signature verification should be enabled in production.

'verify_signatures' => true,

Providers should send webhook requests over HTTPS only.

Webhook secrets should be stored in environment variables or a secret manager.

Never commit secrets to Git.

Use payload redaction to prevent sensitive fields being stored in delivery records.

When rotating provider secrets, allow both the old and new secret for a short overlap window if your provider supports it.