I want a webhook to trigger a command, without giving the webserver auth to do, well, anything.

Solution: create a ssh keypair, add the public key to the target account authorized keys with exactly the permitted command, and then have the webhook trigger a ssh connect to request the task is fun.

Only the person who holds the ssh private key can trigger the command, and the person holding the private key can only trigger the command. Ideal.

(Implementation note: get the webhook recevier app to create and store the ssh keys, and to show a "copy this into your authorised keys" box somewhere)

To remember your current position in the blog, this page must store some data in this browser.

Are you OK with that?