Additional security features added for BILL webhooks

When you create a new webhook subscription with POST /v3/subscriptions, you now get a one-time securityKey as one of the generated values in the response. All event notifications sent to your notificationUrl are signed with the security key using the HMAC-SHA256 algorithm. The key is sent as the x-bill-sha-signature header value in the notification.

You can use the security key to verify all notifications sent to you. It is good practice to keep the security key for your subscription updated in a timely manner. Use POST /v3/subscriptions/{subscriptionId}/security_key to generate a new security key based on your desired frequency.

See Create a security key in the API reference for more information.