I am currently integrating with the Google Cross Account Protection (RISC). As per the docs, there must be some sort of security token that will be posted to the endpoint that you registered. The callback is working fine that I am receiving from google.
However, I cannot see in the payload/headers the security event token that the docs is referring.
In order to integrate with Google's Cross Account Protection, you need to have an app that uses Google Sign In. If you do, then Google will send you security events. You can see what the payload looks like here [1].
Since security events are rare, you can test your stream and that you're validating the Security Event Token payload using a verification event [2].
[1] https://developers.google.com/identity/risc#handle_events
