### Secure Webhook Endpoints with HMAC

Implementing HMAC (Hash-based Message Authentication Code) on your webhook endpoints will ensure the integrity of data, preventing tampering during transmission.
An HMAC used in webhooks is a common approach in the industry and essentially it is just special code that can be used to check if a message hasn't been tampered with during the transmission.

We recommend to configure an HMAC secret for your project using the [callback configuration](https://developers.sinch.com/docs/numbers/api-reference/imported-hosting/imported-numbers-and-hosting-orders-callbacks/updatecallbackconfiguration). Then, when sending the number events, the HTTP POST requests will include the header `X-Sinch-Signature` with the computed HMAC.

**NOTE:** The HMAC secret is configured per project; if you are using the Numbers API with multiple projects, make sure you configure the HMAC secret in each project, and fetch it for either imported or purchased numbers from the dedicated endpoints.