Read the raw request body bytes (do not re-serialize JSON).
Read signature headers from the delivery (typically webhook-id / svix-id, webhook-timestamp / svix-timestamp, and webhook-signature / svix-signature).
Use the endpoint signing secret from Wazapin (format whsec_…). Store it as a server secret, not in client code.
Reject requests outside the allowed timestamp window (replay protection).
Compare expected and received signatures with a constant-time comparison.
The signing scheme matches the Svix standard used for outbound deliveries. You can use the official Svix libraries or implement the same HMAC steps below.
Use github.com/svix/svix-webhooks with your endpoint whsec_ secret, or implement the same signed content: msgID + "." + timestamp + "." + string(body) with HMAC-SHA256 and base64, matching v1 entries in the signature header.