[mfbx9da4]

The API producer will always retain ownership over the authentication mechanism.

The article is comparing the use of a shared secret vs HMAC. For shared secret: Who specifies auth? The webhook producer. Who implements auth? The webhook consumer. For HMAC / signing it's exactly the same parties who do those things.

Discussions about mutual TLS and public keys are out of scope.

[erikerikson]

I think the webhook producer tends to implement auth in both scenarios but agree that the webhook consumer executes auth in the webhook case. You perhaps meant this but I was initially confused by what you were trying to say here. You other comment was far more helpful, thank you for making it.

In summary of my other comment, it is the case that the implementation and execution roles are the same but the threat surface is very different.