Establishing a webhook is a two-part process. First, a simple HTTP POST
request initiates the creation similar to creating any other resource.
Next, in the middle of this request comes the confirmation handshake.
When a webhook is created, we will send a test POST to the target with an X-Hook-Secret header. The target must respond with a 200 OK or 204 No Content and a matching X-Hook-Secret header to confirm that this
webhook subscription is indeed expected. We strongly recommend storing
this secret to be used to verify future webhook event signatures.
The POST request to create the webhook will then return with the status
of the request. If you do not acknowledge the webhook’s confirmation
handshake it will fail to setup, and you will receive an error in
response to your attempt to create it. This means you need to be able to
receive and complete the webhook while the POST request is in-flight
(in other words, have a server that can handle requests asynchronously).
Invalid hostnames like localhost will recieve a 403 Forbidden status code.