Hi there, we recommend one of the following approaches: 1) Whitelist IPs All of our webhooks are sent from the following IPs, which you can whitelist: US Region 54.81.253.187 54.81.255.221 52.23.121.194 52.44.110.80 EU region 34.253.119.130 52.214.174.64 34.248.247.69 54.72.179.250 (This is an exhaustive set.) 2) Use security tokens You can add a token of your choice to the endpoint URL, e.g. `https://myurl.com/?token=123abc`. This is not very secure, since it may be logged in more places, but provides an additional layer of security. Our team is also working on an improvement that allows you to add a token of your choice to the webhook endpoint via the Shippo App. This token will then be included in the webhook's POST request "Shippo-Signature" header, and provides more security than the endpoint URL token. Hope that helps! Best, Simon |