Webhooks

Use signed webhook events for reliable async state updates.

Signature validation

Always verify webhook signatures before processing payloads to prevent spoofed events.

Persist provider event IDs and ignore duplicates. Processing should be safe to retry.

Return non-2xx only for transient failures. Use retry queues and structured logs for permanent error triage.