This is a question I have always asked myself regarding webhooks. Why not let the sender pass a token (originally crafted by the receiver) via the `Authorization` header?