TL;DR

Built an embeddable support widget for a helpdesk product: no cookies — a short-lived bearer token in a header, hashed at rest.

Entry is an HMAC-signed assertion from the host page. An adversarial review caught four real holes before launch.

Outbound webhooks: sign the exact bytes, dedupe key for idempotency, SSRF guard on destination URLs.

The requirement: end users file tickets from pages the product doesn't own. That means an embeddable widget — and embeddable means everything you know about sessions stops working.