Every callback from Xendit will have a verification token in the header of the callback, with the parameter X-CALLBACK-TOKEN.
Every Xendit account will have its own unique token associated with the account. You can find the token on the Xendit dashboard.
With this, you can reject any callbacks that are sent to the URL that does not have this same token on the header of the callback. For more information, you can access our documentation here.