A webhook is how an external service sends events to your server. But since anyone can send a request to that URL, you need to confirm the request really came from that service. The standard method for this is an HMAC signature.
The sender and receiver share a secret key. The sender hashes the request body with the key using HMAC-SHA256 and places the resulting signature in a header. The receiver hashes the same body with the same key and compares whether the two signatures match.
A match guarantees two things at once. Only the party holding the key can produce a valid signature, so authenticity is confirmed, and if the body changes even slightly the signature differs, so integrity is confirmed. Most webhooks — GitHub, Stripe, Slack, and others — use this approach.
You can verify it directly in AG HASH. Turn on the HMAC option, enter the shared key, then paste the request body, and the HMAC-SHA256 value appears. Compare it against the signature in the request header. In real verification, a constant-time comparison is recommended to avoid timing attacks.