Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt

Use this file to discover all available pages before exploring further.

Tesouro signs all webhook requests to ensure authenticity and prevent tampering.

Signature verification

Each webhook request includes signature headers that you should verify before processing:
  1. Extract signature – Get the signature from the X-Tesouro-Signature header
  2. Compute expected signature – Use your webhook secret and the request body
  3. Compare signatures – Verify the computed signature matches the received signature
  4. Reject invalid requests – Return a 401 status if signatures don’t match
Always verify webhook signatures before processing events. This prevents malicious actors from sending fake webhooks to trigger unauthorized actions in your system.

Secret rotation

Webhook signing secrets can be rotated for security:
  • New secrets can be added before old ones are removed
  • Verify against both old and new secrets during rotation period
  • Remove old secrets only after all in-flight webhooks are processed
Contact Tesouro support to rotate your webhook signing secrets.