Jede Plattform-Auslieferung enthält diese Header:
X-TP-Webhook-Id: {endpoint_id}
X-TP-Delivery-Id: {uuid}
X-TP-Event: {topic}
X-TP-Timestamp: {unix_timestamp}
X-TP-Signature: v1={hex_hmac_sha256}Verifikation: signiere {X-TP-Timestamp}.{request_body} mit deinem whsec_-Secret per HMAC-SHA256 und vergleiche timing-safe mit dem Wert aus X-TP-Signature.
PHP
$ts = $_SERVER['HTTP_X_TP_TIMESTAMP'] ?? '';
$body = file_get_contents('php://input');
$expected = hash_hmac('sha256', $ts.'.'.$body, $secret);
$received = substr($_SERVER['HTTP_X_TP_SIGNATURE'] ?? '', 3);
if (!hash_equals($expected, $received)) http_response_code(401);
if (abs(time() - (int) $ts) > 300) http_response_code(401);Node
const crypto = require('crypto');
const sig = (req.headers['x-tp-signature'] || '').replace(/^v1=/, '');
const exp = crypto.createHmac('sha256', SECRET).update(req.headers['x-tp-timestamp']+'.'+req.rawBody).digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(sig,'hex'), Buffer.from(exp,'hex'))) return res.sendStatus(401);