Protect against replay attacks with timestamp-bound webhook signatures.

Recharge webhooks now support a new signature format that includes a timestamp, allowing your systems to verify not only who sent a webhook, but also when it was sent.

By incorporating the send time into the signature, integrations can automatically reject stale requests older than 48 hours, helping prevent replay attacks where previously captured webhook payloads are resent and accepted as valid.

The existing webhook signature method remains fully supported and is not being deprecated. Existing integrations will continue to work without changes, while new integrations can adopt the timestamp-based approach for additional security.

See Webhook validation for more information.