Hi ​@alexcsm,

Currently, these custom POSTs do not include the X-PagerDuty-Signature header that’s present in V3 webhooks, so signature-based verification isn’t available. However, you can still secure and authenticate these requests using the following best practices:

1. Always Use HTTPS (TLS 1.2+)
All PagerDuty webhooks, including custom workflow POSTs, are delivered over HTTPS with TLS 1.2 or higher. This ensures your data is encrypted in transit and protected from interception or tampering.

2. Add and Validate a Custom Header
When configuring your custom workflow or incident action, add a custom header (such as X-Webhook-Token) with a secret value known only to you and your endpoint. Your receiving service should check for this header and validate the secret before processing the request. This is a simple and effective way to authenticate incoming requests.

3. (Recommended for Production) Use an API Gateway with Authentication
For the highest level of security, route your webhook traffic through an API gateway (like AWS API Gateway, Azure API Management, etc.). The gateway can:

• Enforce authentication (API keys, OAuth tokens, etc.)
• Validate custom headers
• Provide rate limiting, logging, and additional controls

This ensures that only properly authenticated requests reach your backend, and you have full visibility and control over incoming traffic.

4. Safelisting IP Addresses (Not Best Practice)
While PagerDuty does support safelisting IP addresses, this is no longer considered a best practice for webhook security. IP ranges can change, and IP-based controls are less reliable than authentication and encrypted transport.

Let me know if any of these solutions fits your use case, and have a nice day!