When setting up an Subscription WebHook notification, it’s possible to add a key/value pair as a header on the HTTP call. It appears it has to be entered verbatim as a literal and cannot be in any sort of Octopus variable. It also appears that the value is stored in cleartext, and anyone with the SubscriptionView permission will be able to read the value. This makes it insecure for use in supplying an API key, which is the biggest reason I can think of for passing a key/value pair as a header.
Is there something I’m missing? Is there a way to specify the value for a key/value pair in a way that’s at least minimally secure (beyond revoking SubscriptionView privileges from all but administrators)?