Whether incoming webhooks carry a verifiable signature. Providers that sign their webhooks (Stripe, Square) set this true so the endpoint rejects unsigned requests. Providers whose webhooks are unsigned (SumUp) set this false and instead establish authenticity by re-fetching from the API.