> ## Documentation Index
> Fetch the complete documentation index at: https://docs.4mica.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Secure and verify 4Mica webhooks.

Webhook security proves that a delivery came from 4Mica and that its body was not
modified or replayed.

## Verify the raw body

Verify the configured webhook signature before parsing JSON. Framework body
parsers can change whitespace or encoding, which breaks signature verification.

Your verification step should use:

* the exact raw request bytes;
* the signature and timestamp headers supplied with the delivery;
* the webhook secret configured for your endpoint;
* a small timestamp tolerance to reject stale replays.

<Warning>
  Never trust an event type, wallet address, amount, or transaction hash before
  signature verification succeeds.
</Warning>

## Prevent replay

Store each top-level event `id` in durable storage. If the ID has already been
processed, return a successful response without applying the change again.

Do not use timestamps as the only deduplication key. Two legitimate events can
share a timestamp.

## Rotate secrets

Support a short overlap where both the old and new webhook secrets verify
successfully. Remove the old secret after all senders use the replacement.

Keep secrets in a managed secret store and never write them to request logs.

## Limit exposure

* Accept HTTPS only.
* Restrict request size.
* Apply rate limits without blocking legitimate retries.
* Log failed verification attempts without logging secrets or sensitive bodies.
* Queue verified events before expensive processing.

Use [best practices](/webhooks/best-practices) for delivery and retry behavior.