Webhook Signing Secrets (v3.2)

Cryptographically verify that webhook calls really come from Hedy.

After you create a webhook, your unique signing secret is shown one time in a confirmation dialog
Hedy signs every payload with HMAC-SHA256 and sends the signature in the X-Hedy-Signature header
Verify it on your server to reject spoofed or tampered requests
The secret cannot be retrieved later, so save it the first time you see it. To rotate, delete and recreate the webhook
Available on the Pro plan, up to 10 webhooks per account

Find webhooks under Settings, API Access, Manage Webhooks.