Understanding Webhook URL Security and Authorization Options

I have a table that is getting email addresses from a webhook. is the webhook URL totally public? Like if anybody has the URL they can just spam it with random emails? Could I use the clay api instead and is there a way to have authorization headers which use an environment variable secret stored in our vercel app? Does clay have a similar auth mechanism?