X-Minisend-Signature: an HMAC-SHA256 hex of the raw JSON body, keyed with your webhook_secret. Verify it before processing.
Find your
webhook_secret in Settings. Treat it like a password.Sign over the raw body
The signature covers the exact bytes Minisend sent. Re-stringifying the parsed body (JSON.stringify(req.body)) can produce different bytes and break verification.
Capture the raw body before parsing. In Express, use express.raw({ type: 'application/json' }) for the webhook route.

