Prompt run finished

HMAC-SHA256 signature for payload verification. The header value follows the format t={timestamp},v1={signature} where the signature is computed over {timestamp}.{raw_request_body} using your webhook secret. To verify: recompute the HMAC using the timestamp from the header and the raw request body, then compare against the v1 value. Reject requests where the timestamp falls outside your acceptable tolerance window to prevent replay attacks.