So you're telling me that it doesn't matter if I let the entire world into our internal testing web servers? I beg to differ on this point. Usually API callback systems that do calls out to their clients offer a whitelist for security reasons (ie. Salesforce, Zuora, etc). The whitelist is not about authorizing or authenticating the call, it's about not having to expose our web port to just anyone in order to received a callback from a specific company.