Your app's callback signing secret (whsec_…).
The EXACT raw request body string (do not re-serialize parsed JSON — whitespace matters).
Value of the X-AbsolutePay-Timestamp header (epoch ms string).
Value of the X-AbsolutePay-Signature header (hex).
true if the signature matches; false if any input is missing or it does not match.
Constant-time check that a webhook signature is authentic.
Recomputes
HMAC_SHA512(secret, "${timestamp}.${rawBody}")and compares it to the supplied signature. Prefer constructEvent, which also parses the event and enforces timestamp freshness; use this only for a fully custom handler.