You can verify that requests are valid and are coming from our platform by checking the sha256 signature of the posted JSON data.
The signature can be found in the x-hook-signature header.
Every webhook has a unique secret key that can be used to generate a hash to compare the signature with.
const hash = crypto.createHmac('sha256', secret)
.update(req.body) // the raw JSON string
.digest('hex')
if (req.headers['x-hook-signature'] !== hash) {
throw new Error('Invalid Request')
}