Basic Mailgun WebHook ReceiverHere's a basic setup of how to validate an authentic POST to your endpoint from Mailgun Routes.

ApiController.groovy

class ApiController {
  protected def getConfig() {
    getGrailsApplication().config
  }
	
  protected def jsonData(data = null, otherData = null) {
    ([data: data] + (otherData ?: [:])) as JSON
  }
  
  protected def renderUnacceptable() {
    response.status = 406
    withFormat {
      json { render jsonData('Unacceptable') }
    }
  }
}

CryptUtils.groovy

import java.security.*
import org.apache.commons.codec.binary.Hex
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec

class CryptUtils {
  static def validateToken(apiKey, timestamp, token, signature) {
    def value = timestamp + token				
    def mac = Mac.getInstance("HmacSHA256")		
    mac.init(new SecretKeySpec(apiKey.getBytes('UTF-8'), "HmacSHA256"))	
    def valueDigest = mac.doFinal(value.getBytes('UTF-8'))
    
    return signature == Hex.encodeHexString(valueDigest)
  }	
}

ReceiveController.groovy

class ReceiveController extends ApiController {	
  static allowedMethods = [
    receive: 'POST'
  ] 
	
  def receive() {
    if(!CryptUtils.validateToken(
      config.mailgun.apiKey,
      params.int('timestamp').toString(), 
      params.token, 
      params.signature 
    )) {
      renderUnacceptable() 
      return
    }	
    
    // .. do your stuff
  }
}