Webhook signing

Verify webhook signatures before parsing the event into business logic. Keep the raw request body bytes because signature verification depends on the exact payload that Aient sent.

Consumer checklist

Read the raw request body before JSON parsing.
Verify the Aient signature header with the endpoint secret configured in Aient.
Reject missing, malformed, or stale signatures.
Deduplicate by the CloudEvents (source, id) tuple after verification.
Return 2xx only after the event is durably accepted.

If verification fails, return a non-2xx response and do not process the event.

Aient webhooks overview Webhook event schemas