Is there any chance that you can add a signature of the webhook body to include with the webhook payload? This would be based on an HMAC signature based on secret key in our account, perhaps in the webhook integration settings.
This way we can validate integrity and security of the payload.
Similar to this, I would rather have a custom API were I could put secrets in the header and the body. If it is to be a webhook, then we would need the webhook to occur on the form load.
Another option would be a section to store global variables for all forms to access. These could be stored as secrets so other users would not be able to view them.