Verifying Signatures

1. Grab the `X-OpenOrigins-Signature` header from the webhook request.

2. Compute `HMAC_SHA256(request_body, <your signing secret>)`.

3. Compare (time‑constant) the hex digest to the header. Matches → payload is genuine.

Rotate the signing secret in the dashboard; old secrets remain valid for 24 hours to avoid downtime.