The security section covers signature verification well, but I'm curious about your take on replay attacks — a valid signed payload can be resent hours later. Did you consider recommending timestamp validation alongside HMAC verification, where the receiver rejects payloads older than a configurable window?