Webhooks arrive over the open internet, so every delivery Forecite sends is signed: the raw body is HMAC-SHA256'd with your endpoint's secret and sent as X-Forecite-Signature. Verifying it takes about five lines in any language — this guide walks through all of them.
The rules that matter
Verify against the raw request bytes, not a re-serialized parse — JSON key order is not guaranteed to survive a round trip. Compare with a constant-time equality function, and use the X-Forecite-Timestamp header to reject stale replays.
Rotate without downtime
Secrets are per-endpoint, so rotation is just: create a second endpoint with a fresh secret, cut traffic over, delete the old one. Your handler never has to accept two secrets at once.