diff --git a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
new file mode 100644
index 0000000..36c2587
--- /dev/null
+++ b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
@@ -0,0 +1,21 @@
+---
+name: "WhatsApp webhook HMAC signature verification"
+---
+
+# Story 388: WhatsApp webhook HMAC signature verification
+
+## User Story
+
+As a bot operator, I want incoming WhatsApp webhook requests to be cryptographically verified, so that forged requests from unauthorized sources are rejected.
+
+## Acceptance Criteria
+
+- [ ] Meta webhooks: validate X-Hub-Signature-256 HMAC-SHA256 header using the app secret before processing
+- [ ] Twilio webhooks: validate request signature using the auth token before processing
+- [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
+- [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
+- [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
+
+## Out of Scope
+
+- TBD