Webhook Signing
Overview of the Webhook Signing API
Hand off to an LLM
Manage the webhook signing secret used to authenticate outbound webhook deliveries.
When a signing secret is active, every webhook delivery includes a bem-signature header
in the format t={unix_timestamp},v1={hex_hmac_sha256}. The signature covers
{timestamp}.{raw_request_body} and can be verified using HMAC-SHA256 with your secret.
Rotate the secret at any time with POST /v3/webhook-secret. To avoid downtime during
rotation, update your verification logic to accept both the old and new secret briefly
before revoking the old one.
See also
- Webhooks — subscribe, receive, verify