How do ESPs verify webhook and API integrity?

Webhooks and APIs are integration points that need protection against tampering and abuse.

Webhook security:

Signature validation: ESP signs webhook payloads with a secret key. You verify the signature matches, proving the payload wasn't modified and came from the ESP.

• Example: Header contains HMAC-SHA256 signature; you compute expected signature and compare.
• Shared secrets: A secret token known only to you and the ESP, included in requests for verification.
• Timestamp validation: Payloads include timestamps; reject if too old (prevents replay attacks).
• IP allowlisting: Accept webhooks only from known ESP IP ranges.
• HTTPS required: Webhooks should only post to HTTPS endpoints for transport security.
• API security:
• Authentication: API keys, OAuth tokens, or other credentials required for all requests.
• Rate limiting: Prevents abuse through excessive requests.
• Input validation: Sanitize and validate all input to prevent injection attacks.
• TLS only: API endpoints require HTTPS.
• Key rotation: Ability to rotate compromised credentials.
• Your responsibility:
• Implement signature verification for webhooks
• Protect API credentials
• Use HTTPS endpoints
• Validate webhook sources
• Log and monitor API/webhook activity