What is a webhook and how do you verify an HMAC signature?

A webhook is an HTTP callback: Stripe, GitHub, or your partner sends a POST to an endpoint you expose when an event happens. You must not trust the IP or the URL alone: attackers forge POSTs. Common verification is HMAC: the provider signs the raw request body (sometimes including a timestamp) with a shared secret, and you recompute the signature and compare in constant time. Use the raw body bytes your framework gives you before JSON parsing, or the signature will not match. Also reject old timestamps to limit replay. Idempotency by event id helps when the provider redelivers.

X-Signature: sha256=ab12...  // or provider-specific
crypto.createHmac('sha256', secret).update(rawBody, 'utf8').digest('hex')

Start simple: try this concept in a tiny project before moving to advanced tools.