🌟 Expose webhook signing secret in UI or API response on creation

[ptaranat]

Is your feature request related to a problem? Please describe.
When a webhook is created, a 32-character HMAC signing secret is auto-generated (Str::random(32) in CreateWebhookService) and used by Spatie webhook-server to sign outgoing payloads via the Signature header. However, there is no way for webhook consumers to retrieve this secret:

• The UI does not display it
• The API excludes it from responses (WebhookResource does not include getSecret())
• There is no "reveal secret" or "regenerate secret" action

This makes it impossible for consumers on the hosted cloud platform to verify webhook signatures, defeating the purpose of the signing mechanism.

Describe the solution you'd like
Return the secret in the API response when the webhook is first created (show-once pattern, similar to how Stripe returns webhook signing secrets only on creation). Optionally, display it in the UI on creation with a "copy to clipboard" button and a note that it won't be shown again.

Additional context

• Secret is generated in CreateWebhookService::createWebhook() via Str::random(32)
• Stored in the webhooks.secret DB column
• Used in WebhookDispatchService::dispatchWebhook() via ->useSecret($webhook->getSecret())
• The fix would be adding 'secret' => $this->getSecret() to WebhookResource::toArray(), ideally only on the create response (or behind a dedicated "reveal" endpoint)

Current workarounds

• Self-host Hi.Events just to access the DB and read the secret
• Skip signature verification on our webhook consumer and accept unsigned payloads. This means anyone who discovers the endpoint URL can send forged events.

[daveearley]

Thanks for the report, @ptaranat!

This is definitely something that should be included. Its omission was an oversight