Recommendations for validation of authentic POST call for OneSignal push callback?

For associating users to devices, I understand the workflow for storing the OneSignal Player ID by defining a callback to our server-side POST call.

However, is there a recommended way to validate the request is authentic (e.g. from GoNative and not some other malicious actor)? Something like a JWT, or even something like a specific set of IP addresses we would anticipate the request coming from?

From a security POV, I want to ensure no one can try to maliciously inject a bogus or other OneSignal ID to obtain info thru push notifications.