in Zoho Sign, what protection is in place - if any - so that the receiving endpoint can verify the authenticity of the sender (Zoho DC / app). otherwise anyone knowing the https address of my endpoint can forge the request.

webhooks signatures would be ideal.

is it possible to whitelist Zoho Sign EU DC IPs at least?

query params with secret token would be possible but that's generally quite a weak protection.

I could not find anything in the docs: