Support specifying webhook security scheme

[mfbx9da4]

Webhook security often involves signing various parts of the request with a symmetric signing algorithm such as HMAC-SHA256 and including the signature as a header. There's lots of variance about the format of the signature. Others employ asymmetric algorithms or some just use a plain shared secret aka API key.

In all those cases though, webhook security is a different scheme to the top level spec security. We need a way to configure webhook security clearly and support common signing schemes.

Related issues

• Support for message level security #1953
• Specifying HMAC-based authentication in the spec #344
• Support for JOSE (JSON Signature and Encryption) Standards #1464

Slack thread

• https://open-api.slack.com/archives/C0EDH2QKD/p1730871606673419