To prevent abuse of webhook events being sent to URLs outside of an account's control, we should require that all new endpoints respond to a webhook-endpoint.ack or webhook-endpoint.ping event, with a unique "pong" response before being enabled. Endpoints that have not gone through the ACK flow should not receive event deliveries, and should be considered disabled.
To prevent abuse of webhook events being sent to URLs outside of an account's control, we should require that all new endpoints respond to a
webhook-endpoint.ackorwebhook-endpoint.pingevent, with a unique "pong" response before being enabled. Endpoints that have not gone through the ACK flow should not receive event deliveries, and should be considered disabled.