[siong1987]

There isn't a standard way of authenticating the incoming notification yet. I like how Mailgun is doing it, to verify the webhook is originating from Mailgun you need to:

  * Concatenate timestamp and token values.
  * Encode the resulting string with the HMAC algorithm (using your API Key as a key and SHA256 digest mode).
  * Compare the resulting hexdigest to the signature.
  * Optionally, you can check if the timestamp is not too far from the current time.

So, you essentially get 3 extra parameters from your webhook, `timestamp`, `token` and `signature`. Obviously, the API key is the shared secret here between your app and Mailgun.

[ihsw]

Grooveshark does it as well.

http://developers.grooveshark.com/docs/public_api/v3/

However it depends on a shared secret for generating/verifying signatures, and some companies (cough Stripe cough) have yet to implement that. As someone else has already mentioned, thankfully each webhook request from Stripe has an ID in it so you can query their API for verifying a webhook's authenticity.

[baudehlo]

If it's just a shared secret, why not just make a secret (and complicated) URL for the web hook? It's shared with the deliverer but as long as you're using SSL it should be just as secure.

Speaking of which, the right way to do this is to validate their SSL client certificate, but I doubt many places are easily setup to do that - in fact I would bet the sending endpoint doesn't even use a certificate most of the time.