WEBHOOKS

Signed webhooks

Verify webhook payloads with HMAC signatures.

Signature header

StartupCore-Signature carries t=timestamp,v1=hex_hmac.

Replay protection

Reject events older than five minutes.