destwebhook signing secret template

[alexluong]

Configurable Webhook Signing Secret Generation

Problem

Currently, webhook signing secrets are auto-generated as 32-byte random hex strings. There's no way to customize the secret format or generation pattern, which limits flexibility for users who want to use a specific secret format (e.g., whsec_xxxxx prefix like Stripe).

Current Behavior

func generateSignatureSecret() (string, error) {
    randomBytes := make([]byte, 32)
    rand.Read(randomBytes)
    return hex.EncodeToString(randomBytes), nil // Always returns 64-char hex string
}

Proposed Solution

Add a template-based configuration similar to existing signature templates:

Config:

destinations:
  webhook:
    signing_secret_template: "whsec_{{.RandomHex}}"  # or "{{.RandomBase64}}", etc.

Environment Variable:

WEBHOOK_SIGNING_SECRET_TEMPLATE="whsec_{{.RandomHex}}"

Template Variables

Suggested template variables:

• {{.RandomHex}} - 64-char hex string (current default)
• {{.RandomBase64}} - Base64-encoded random bytes
• {{.RandomAlphanumeric}} - Alphanumeric random string

and other ID generation functions if necessary.

Breaking Change Considerations

Current behavior as template: {{.RandomHex}} (64-character hex string from 32 random bytes)

This is a breaking change if we change the default template to something else (e.g., whsec_{{.RandomHex}}).

[alexluong]

Revisited during triage. This is important — the signing secret should support a configurable prefix template (e.g., whsec_...) rather than being a plain random string. This makes secrets recognizable, easier to identify in logs/configs, and aligns with industry conventions (Stripe's whsec_, etc.).

Bumping priority. Should be a relatively small change to the secret generation logic.