> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhook security

> Verify webhook signatures and rotate signing secrets to ensure authenticity and prevent tampering.

Tesouro signs all webhook requests to ensure authenticity and prevent tampering.

### Signature verification

Each webhook request includes signature headers that you should verify before processing:

1. **Extract signature** – Get the signature from the `X-Tesouro-Signature` header
2. **Compute expected signature** – Use your webhook secret and the request body
3. **Compare signatures** – Verify the computed signature matches the received signature
4. **Reject invalid requests** – Return a 401 status if signatures don't match

<Warning>
  Always verify webhook signatures before processing events. This prevents malicious actors from
  sending fake webhooks to trigger unauthorized actions in your system.
</Warning>

### Secret rotation

Webhook signing secrets can be rotated for security:

* New secrets can be added before old ones are removed
* Verify against both old and new secrets during rotation period
* Remove old secrets only after all in-flight webhooks are processed

Contact Tesouro support to rotate your webhook signing secrets.
