X-Hub-Signature-256: sha256=<hex>. Setup uses a separate GET handshake. Register two secrets and webhook.co covers both.
Get the two values
- App secret — your app’s secret from App Dashboard → App settings → Basic. Signs the payloads.
- Verify token — the arbitrary string you type into Webhooks → Configure in the App Dashboard. Meta echoes it back during the subscription handshake.
Register both on your endpoint
Register the app secret as the signing secret:kind: verify_token:
The subscription handshake
When you save the callback URL in the App Dashboard, Meta sends ahub.mode=subscribe GET carrying hub.challenge and hub.verify_token. webhook.co echoes the challenge only if the presented verify token matches the one you registered (constant-time compared), and returns 403 otherwise — so a wrong token fails setup instead of leaking the challenge.