Every webhook from Xendit will have a verification token in the header of the webhook, with the parameter X-CALLBACK-TOKEN.
Every Xendit account will have its own unique token associated with the account. You can find the token on the Xendit dashboard of normal Xendit account, master account of xenPlatform, and MANAGED sub account.
With this, you can reject any webhook that are sent to the URL that does not have this same token on the header of the webhook. For more information, you can access our documentation here.