have to be sent through the callback url like so http://:@mywebshop.com/api/custom_endpoint.
Nope. You can also use digest authentication. Then you don’t need to put username and password in the url. If that’s also not supported by your webhook you could go with a controller:
But then everyone could access it without authentication unless you implement your own.