Currently there's no way to distinguish a genuine webhook payload from a well crafted malicious payload. Generating (or allowing a user to provide) a signing secret and sending a hash along as a header would make endpoints that receive coder webhooks more secure.

Other webhook providers (clerk, github, stripe) implement something like this as a reference.