A partner sends you webhooks with an HMAC signature header. Explain how to verify them correctly and why each step matters: how HMAC signing works, why you compare with a constant-time comparison, why the signature must cover a timestamp and how that prevents replay, and why you must verify against the raw request body. Then explain how this differs from verifying an asymmetric (public-key) signature, and how you rotate a signing secret with zero downtime.