In the implementation of an IPN listener: https://developer.paypal.com/api/nvp-soap/ipn/IPNImplementation/
I understand the IPN listener verifies that the message sent to it comes from paypal by using these steps:
Your listener sends the complete message back to PayPal using HTTPS POST.
Prefix the returned message with the cmd=_notify-validate variable, but do not change the message fields, the order of the fields, or the character encoding from the original message.
Send response messages back to PayPal
PayPal sends one of the following words back to your listener:
VERIFIED (if the message matches the original) INVALID (if the message does not match the original)
I am very interested in implementing this security feature in a webhook I want to develop but I can't find documentation on how this actually work on server side. what is this verification called?
I assume: paypal saves a request's data in a database before posting it to the IPN listener. When the listener post back the data to Paypal, the latter just checks it is in its database. If it exists, return "VERIFIED" and it not return "INVALID"
Is it that simple? Is it robust?
Yes, that is essentially how PayPal IPN postbacks work. Whether it checks the whole stored data or a stored signature/hash of the data is an implementation detail, either is sufficient for verification.
Current PayPal Webhooks support cryptographic verification without a postback, so perhaps you are interested in something more modern than the 20-year-old IPN design that always depends on postbacks to determine authenticity.