How does my service know a request came from Forte?
Check the X-Forte-Trusted header: Forte sets it to 1 on requests it originates and strips all X-Forte-* headers from inbound traffic it didn't send, so its presence is proof. In your action handler, verify that header, dedupe on the X-Forte-Action-Invocation-Id header (Forte may retry), and return a 2xx quickly — do slow work in the background.