Can token decryption endpoint response codes variability lead to security vulnerabilities?

To clarify the question, here’s our case:
We generate encrypted tokens by applying AES-CBC (256 bit) and Base64 to payload:
encrypted_token = Base64.encode(AES_CBC_256.encrypt(key, iv, payload)).
These encrypted tokens are publicly availab… Continue reading Can token decryption endpoint response codes variability lead to security vulnerabilities?

Why are HMAC signatures frequently used for webhook authorization but not other HTTP API requests?

HMAC signatures are very commonly used for webhook authorization from service to consumer.
Examples:

Stripe
Slack
Twilio
Twitter
GitHub

and hundreds and hundreds more. This seems a near universal design decision.
Yet, the other direction… Continue reading Why are HMAC signatures frequently used for webhook authorization but not other HTTP API requests?