A webhook secret is a key used to calculate the HTTP_TOGGLE_SIGNATURE and is passed in the header of every request.
This adds a security layer between the two apps (Toggle and your App) to make sure the payload that you receive has not been tampered with. The signature is a hash of the entire payload, signed using the signing secret that we have supplied to you. Every request received by your application should compare this signature to your own, in order to ensure that it is not fraudulent.
The secret will be provided by the Toggle support team when you first set up a web hook with us.
Before accepting any webhook sent to you, you should verify it by checking the hashed contents.
The following example (in PHP) is how you could calculate the secret and check the payload.