Protect your webhook-endpoint by validating incoming events.
Lucca-Signature
and
the Lucca-Timestamp
HTTP headers and return a 401 Unauthorized
..
(dot) character. Both properties can be found in HTTP headers:
Lucca-Signature
HTTP header ;Lucca-Timestamp
HTTP header.Lucca-Signature
header was sent) or does not match,
then return a 401 Unauthorized
.
Lucca-Timestamp
HTTP header matches the exact time the request
was sent from Lucca’s servers. It is an UTC date-time in ISO 8601 format, e.g.: “2025-01-01T08:34:23Z”.
You should check the timestamp is within +/- 5 minutes from the moment your receive the event, in order
to protect yourself against replay attacks.
If the timestamp is too old / too far in the future, or is simply missing, then return a
401 Unauthorized
.