Signature verification
Each webhook request includes signature headers that you should verify before processing:- Extract signature – Get the signature from the
X-Tesouro-Signatureheader - Compute expected signature – Use your webhook secret and the request body
- Compare signatures – Verify the computed signature matches the received signature
- Reject invalid requests – Return a 401 status if signatures don’t match
Always verify webhook signatures before processing events. This prevents
malicious actors from sending fake webhooks to trigger unauthorized actions in
your system.
Secret rotation
Webhook signing secrets can be rotated for security:- New secrets can be added before old ones are removed
- Verify against both old and new secrets during rotation period
- Remove old secrets only after all in-flight webhooks are processed