Verify each provider on its own endpoint
One endpoint per source, each with its provider secret registered.
Register one destination — your receiver
add returns a signing secret, shown once. Configure it in your receiver’s Standard Webhooks verifier.Subscribe every endpoint to that one destination
--require-verified routes only events whose source was authenticated (the verified and authenticated states), dropping unattempted and failed. webhook.co re-signs each with the destination’s secret — the un-forgeable verification state gates whether we vouch for it, so a forged event never carries your signature.Every subscription to the same destination delivers under the same signing secret, so your
receiver runs one verifier. Rotate it in one place — see rotate a signing
secret.