If you have created your webhook subscription using a signingKey you can validate the authenticity of the webhook by validating the request signature sent in the request header.
From the incoming webhook parse the following request headers:
messagebird-signature
messagebird-request-timestamp
In addition parse the request URL and the request Body.
To calculate the request signature:
Base64 decode the messagebird-signature
Create a SHA256 hash checksum of the request body and decode to a string
Join the request timestamp ( messagebird-request-timestamp) with the request URL and checksum string computed in step 2
Calculate HMACSHA256 using the signing key as the secret and the joined payload from step 3 to calculate the signature string encoded
Compare the output of step 4 to the signature from step 1