Security
Verify the signature
Every delivery carries a Signals-Signature header:
Signals-Signature: t=1700000000,v1=<hex hmac-sha256>Compute HMAC-SHA256(secret, "<t>.<raw_body>") and compare in constant time.
Reject deliveries whose timestamp is more than 5 minutes old.
import hmac, hashlib, time
def verify(secret, raw_body, header, tolerance=300): parts = dict(p.split("=", 1) for p in header.split(",")) ts, sig = int(parts["t"]), parts["v1"] if abs(int(time.time()) - ts) > tolerance: return False expected = hmac.new(secret.encode(), f"{ts}.".encode() + raw_body, hashlib.sha256).hexdigest() return hmac.compare_digest(expected, sig)Endpoint requirements
Your endpoint URL must be HTTPS and must resolve to a public address. We reject URLs that resolve to private, loopback, link-local, or reserved ranges (an SSRF protection), and we re-check at delivery time to defeat DNS rebinding.