v0:{timestamp}:{body}, sent as X-Slack-Signature: v0=<hex> alongside X-Slack-Request-Timestamp. Register the signing secret and webhook.co verifies every request — and answers Slack’s setup handshake for you.
Get the signing secret
In your Slack app config at api.slack.com/apps, open Basic Information → App Credentials and copy the Signing Secret.Register it on your endpoint
The url_verification handshake
When you save an ingest URL in Slack’s Event Subscriptions, Slack POSTs aurl_verification challenge. webhook.co detects it and echoes the challenge value automatically — no configuration, and the challenge is never captured as an event. Slack signs the timestamp, so webhook.co enforces a 5-minute replay window on real events.