Currently, your webhook integration does not offer a secure way to verify its origins.
Looking at webhook HTTP POST responses, there are HTTP headers that suggest there is planned support for webhook signature verification - x-shipengine-rsa-sha256-key-i and x-shipengine-rsa-sha256-signature being the prominent ones. Unfortunately, to verify a RSA SHA256 signature developers need access to public rsa key to verify message payloads - which you don't provide.
Are there any plans to fully support webhook signature verification by providing a public RSA-SHA256 key?
