Webhook security proves that a delivery came from 4Mica and that its body was not
modified or replayed.
Verify the raw body
Verify the configured webhook signature before parsing JSON. Framework body
parsers can change whitespace or encoding, which breaks signature verification.
Your verification step should use:
- the exact raw request bytes;
- the signature and timestamp headers supplied with the delivery;
- the webhook secret configured for your endpoint;
- a small timestamp tolerance to reject stale replays.
Never trust an event type, wallet address, amount, or transaction hash before
signature verification succeeds.
Prevent replay
Store each top-level event id in durable storage. If the ID has already been
processed, return a successful response without applying the change again.
Do not use timestamps as the only deduplication key. Two legitimate events can
share a timestamp.
Rotate secrets
Support a short overlap where both the old and new webhook secrets verify
successfully. Remove the old secret after all senders use the replacement.
Keep secrets in a managed secret store and never write them to request logs.
Limit exposure
- Accept HTTPS only.
- Restrict request size.
- Apply rate limits without blocking legitimate retries.
- Log failed verification attempts without logging secrets or sensitive bodies.
- Queue verified events before expensive processing.
Use best practices for delivery and retry behavior. 
