Register an endpoint in Settings → Developer → Webhooks. The signing secret (whsec_…) is shown once. Every delivery carries an MB-Signature header — an HMAC-SHA256 of the raw request body with your secret. Always verify before trusting a delivery. 
import hmac, hashlib

def verify(body: bytes, header: str, secret: str) -> bool:
    expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, header)
The official SDKs wrap this as verifyWebhook / verify_webhook.
Verify against the raw request body, before any JSON parsing/re-serialization.