Validate webhook provenance by looking at the X-Nango-Signature header. It’s a SHA-256 hash generated using the secret key found in the Environment Settings in the Nango UI. The webhook signature can be generated with the following code: 
import crypto from 'crypto';

const secretKeyDev = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';
const signature = `${secretKeyDev}${JSON.stringify(payload)}`;
const hash = crypto.createHash('sha256').update(signature).digest('hex');
Only accept a webhook if the X-Nango-Signature header value matches the webhook signature.