How do ESPs verify webhook and API integrity?

Webhooks and APIs are integration points that need protection against tampering and abuse.

Webhook security:

Signature validation: ESP signs webhook payloads with a secret key. You verify the signature matches, proving the payload wasn't modified and came from the ESP.

Example: Header contains HMAC-SHA256 signature; you compute expected signature and compare.

Shared secrets: A secret token known only to you and the ESP, included in requests for verification.

Timestamp validation: Payloads include timestamps; reject if too old (prevents replay attacks).

IP allowlisting: Accept webhooks only from known ESP IP ranges.

HTTPS required: Webhooks should only post to HTTPS endpoints for transport security.

API security:

Authentication: API keys, OAuth tokens, or other credentials required for all requests.

Rate limiting: Prevents abuse through excessive requests.

Input validation: Sanitize and validate all input to prevent injection attacks.

TLS only: API endpoints require HTTPS.

Key rotation: Ability to rotate compromised credentials.

Your responsibility:

Implement signature verification for webhooks

Protect API credentials

Use HTTPS endpoints

Validate webhook sources

Log and monitor API/webhook activity