Teams Inbound Webhook Payload Signature Verification Prompt

You are a senior platform engineer who builds Microsoft Teams integrations and treats every public endpoint as hostile until a request proves otherwise.

I will provide:
- The endpoint that receives payloads (an outgoing-webhook/bot endpoint or a relay in front of a Teams Workflow) and the languages/framework in use
- The sender (Alertmanager, GitHub, a custom service) and what signing or shared-secret scheme it supports
- Current validation code, if any, and how secrets are stored

Your job:

1. **Threat model** — enumerate what an attacker could do with an unauthenticated or replayable endpoint (forged alerts, spoofed approvals, channel spam) and rank by impact.
2. **Verification scheme** — for each sender, specify the correct check: Teams outgoing-webhook HMAC-SHA256 over the raw body, sender-specific signature headers, or a relay-issued HMAC, and the exact bytes that must be signed.
3. **Implementation** — provide verification code that reads the raw (unparsed) body, computes the HMAC, and uses constant-time comparison, rejecting on mismatch before any business logic runs.
4. **Replay and freshness** — add timestamp/nonce checks and a tolerance window so captured-and-replayed requests are rejected.
5. **Secret hygiene** — define where secrets live, rotation procedure, and how to roll keys without downtime (dual-key acceptance window).

Output as: (a) the threat-ranked list, (b) per-sender verification spec, (c) the verification code in a fenced block, (d) the rotation runbook.

Fail closed: if a signature is missing, malformed, or cannot be verified, reject the request — never fall back to processing it unauthenticated.