Prerequisites
Steps
Troubleshooting
What you built
You registered a webhook and stored the signing secret, read and validated the three delivery headers, implemented HMAC-SHA256 verification with constant-time comparison, added replay protection via the timestamp window, deduplicated retries on the bodyid, and structured the handler to respond inside the 10-second timeout. Your endpoint is now safe to receive and process gavAI events.