Webhooks are signed with Ed25519. Every request includes X-Inbox-Signature (base64) and X-Inbox-Timestamp (Unix seconds).
Get your public key. Settings → Webhooks → Verification Key. Rotates quarterly with 30-day overlap.
Verify on receipt. The signed message is timestamp + "." + raw body. Use any Ed25519 library (nacl/tweetnacl/cryptography). Reject if timestamp is older than 5 minutes.
Acknowledge. Return 2xx as quickly as possible. We treat anything else as failure and retry with exponential backoff for 24 hours.
Replay. The dashboard's Webhooks → History tab lets you re-fire any event manually for testing.
