According to the current Webhooks Events API documentation, only the client authenticates to Strava upon subscription registration/check, with the API client_id and client_secret.
This is great but IMO insufficent, as both parties should somehow be authenticated. In other words, Strava should authenticate with the Webhook suscriptor. The way is done at the moment, an attacker could impersonate Strava's API sending fake event data to the client's endpoint. The only way the client could defend from this would be checking whether if the subscription ID matches or not. But this is neither proposed as a security measure in the documentation site, or implicit within the process (it's something that the clients would need to implement ad-hoc). Moreover, since the subscription_id field is integer, it could be pretty easy for an attacker to guess the right value.
Is there any other way of dealing with this that you could suggest?
Thanks in advance.