The webhook auth process sends two POSTs (which makes sense), the first one to validate the url is reachable, the second one with the code needed. What does not make sense to me is the different data structure of the two... Before we blindly create a new record we of course check a few things in the posted data and return "unauthorized" if it doesnt match. Our server needs to know "is actual data being posted" (real data) vs "we can return OK and ignore this data" (webhook auth) Since our server code has to explicitly "permit and return OK" for both forms of data to allow the authentication to proceed. AS-IS: {"data"=>{"message"=>"Hi! We're just verifying that the url exists."} {"data"=>{"validation_code"=>519939, "webhook_id"=>"xxxxxxxx"}} AS-SHOULD BE (IMO): CONSISTENT AND UNIQUE-FOR-AUTH PURPOSES: {"data"=>{"ziggeo_validation"=>"Hi! We're just verifying that the url exists."} {"data"=>{"ziggeo_validation"=>519939, "webhook_id"=>"xxxxxxxx"}} if you do something like that your customers server-side code can safely "do nothing and return OK" any time data["ziggeo_validation"] is present. Easier on the server side.