How do you usually validate the web hook from your end? Do you call it from a fixed IP which we can whitelist or do you authenticate our API accounts credentials with f.e. or something similar?
We do not really make any extra security checks on top of HTTPS protocol. We just send a handshake event and check that the server returns the expected value back. However, there is one way to protect API if needed, we can use API key header. Something like: