How do you usually validate the web hook from your end? Do you call it from a fixed IP which we can whitelist or do you authenticate our API accounts credentials with f.e. or something similar?

We do not really make any extra security checks on top of HTTPS protocol. We just send a handshake event and check that the server returns the expected value back. However, there is one way to protect API if needed, we can use API key header. Something like:

• the client builds publicly available web-hook endpoint and protects it with API key secret. In most cases "X-API-Key" HTTP header.
• the client shares this with us
• we can use it and deliver with each event from our system