[olehif]

API keys are symmetrical, so every client needs a unique one. Singing allows the server to have only one certificate for all clients (webhook receivers). More convenient.

[immibis]

But the server has no problem storing a unique webhook address for each client.

I suppose you can just add a bearer token into the address, if you need that. A different address per association, containing a bearer token, with HTTPS, provides the same security as if the bearer token was sent in a separate header.

[mfbx9da4]

Webhooks basically never implement asymmetric signing. If you survey the industry 99% of the time if it’s signed, it’s hmac.

[voganmother42]

if the server can carry a tune that is