Same org as OP, different role.

SendGrid - at this time only has webhook integration that uses OAUTH2 or Cryptographic Signaling with no ability to access header configuration to use the Splunk HTTP Event Collector tokens.

The Token CAN be embedded in the URL target itself but might be able to be intercepted enroute before encrypted handshakes.  If this happens another actor could potentially impersonate and flood the HEC with garbage data.  Admittedly the attack surface is small and the damage is mostly ingestion and headache.

It has less to do with PII protection and more so the non-repudiation factor in this case.

If other Cloud based SaaS applications go this route then ingestion data from these will require cribl or some other other solution to serve as a receiver/validator before forwarding.

Well, as I'm reading the specs for those webhooks it seems there are two different mechanisms at play here.

One is OAuth which seems a bit silly here since webhooks are supposed to be fast, easy to implement, robust and so on. OAuth seem overly complicated for a simple webhook but let's leave it at this point. OAuth solves the case of authentication - it lets the client say hello properly to the server so that the server can decide whether to authorize the client to use the service (post the webhook) or not. This has nothing to do with non-repudiation.

And is indeed more or less the equivalent of the HEC token.

The non-repudiation part is indeed performed with event signatures but it's kinda orthogonal thing to Splunk. Splunk is not a general "webhook processing solution". Splunk's HEC is meant to receive events. Just that.

I'd say that the way to go would be to put something "in front" of Splunk to capture both the webhook contents as well as the signature and either validate the signature or send both the contents and the signature to Splunk (and have a way to later verify said signature).

If I recall right there have been discussions about oauth2 with Splunk’s future releases. Maybe you could found something from participating voc.splunk.com?

But oauth2 is targeting to authenticate and authorize into splunk searches, not for ingesting data via hec or other ways. Maybe there will be some modular inputs in future which will be use it! But currently e.g. HEC will be using only token based authentication only.