TL;DR
Built an embeddable support widget for a helpdesk product: no cookies — a short-lived bearer token in a header, hashed at rest.
Entry is an HMAC-signed assertion from the host page. An adversarial review caught four real holes before launch.
Outbound webhooks: sign the exact bytes, dedupe key for idempotency, SSRF guard on destination URLs.
The requirement: end users file tickets from pages the product doesn't own. That means an embeddable widget — and embeddable means everything you know about sessions stops working.






