X-Kayle-Signature header. Verify it before processing the body. An attacker who knows your endpoint URL but not the signing secret cannot forge a valid signature.
The header
t is a Unix timestamp (seconds). v1 is HMAC-SHA256(t + "." + raw_body, signing_secret) rendered as lowercase hex.
The verification algorithm
Capture the raw body
Hash exactly the bytes Kayle sent. If your framework parses JSON before you can read the raw body, capture the buffer first — re-serialising parsed JSON does not produce the same bytes.
Compare in constant time
Use a constant-time comparison (
crypto.timingSafeEqual in Node, hmac.compare_digest in Python). Don’t use ==.400 and don’t process the body. Kayle treats non-2xx responses as delivery failures and retries.
Code samples
Where the secret comes from
The signing secret is returned exactly once when you create an endpoint, and again on rotation. It can be revealed by anowner-role user via POST /v1/webhooks/endpoints/:endpoint_id/signing-secret/reveal. Store it as you would any high-value credential.