There are at least two ways to go about it:

1. A normal ping that gets invoked every X minutes/hours and just verifies it still returns 2xx. If it does, keep it up, if it fails at least Y times, disable. This can also be used when first adding an endpoint to make sure it's configured correctly.
2. Expect the endpoint to pass a test to make sure that it has the key. This is potentially better for security, as we know the endpoint owns the key we expect it to have. The problem is that the secret is only available after the endpoint is created so this will fail in the beginning for sure. We could make it delayed, so that it only checks after a certain grace period, though is it useful enough to warrant the trouble?

Could this not be tied into the event type - like swh:ping.
It could also allow for more features later on by just denoting event types with swh: are for standard webhooks.
eg - swh:verify could verify the secret or whatever to make sure a request would be valid.

you could further extend this for swh:test:(event type) for an event that should just run a test.

this would mean any wh consumer that is swh complaint would be able to verify its online, validate security and run through validation tests by default.

My comment does kinda feel more implementationy but would be a standard spec part - so if we are going to do ping.... might as well just make sure we got future changes ready.