Sangoma CRM Link REST API callback

How does one verify the post request comes from the pbx server? It doesn’t seem like the payload posted to the callback url contains the secret token header?

Is there any sort of way to validate the POST payload is actually from the expected server?

Webhooks in the module are unsigned. You would need to open a feature request for that