$expected = hash_hmac('sha256', $request->getContent(), config('services.webhook.secret'));
abort_unless(hash_equals($expected, $request->header('X-Signature')), 403);