A tenant registers a delivery callback URL. The Hub sends a POST whenever Resend reports an email bounced or was opened. The body is JSON. The header X-Hub-Signature carries an HMAC-SHA256 digest computed over that body using a secret that only the Hub and the tenant know. The tenant recomputes the digest on receipt and compares. If they match, the request is authentic. If they do not, the request is dropped. This is the standard webhook-signing recipe. GitHub uses it. Slack uses it. Resend uses it on the way in. Now the Hub uses it on the way out. The obvious implementation looks like this: const body = JSON . stringify ( event ); const digest = crypto . createHmac ( ' sha256 ' , secret ). update ( body ). digest ( ' hex ' ); Enter fullscreen mode Exit fullscreen mode It worked in tests. It worked in the integration suite. It worked against a mock callback server. Then I tried to write a verification snippet for the tenant docs in Python, and the digests did not match.…