diff --git a/messages/en.json b/messages/en.json
index e5a3eb29a5..7824023a50 100644
--- a/messages/en.json
+++ b/messages/en.json
@@ -1051,7 +1051,7 @@
   "hashed-api-keys-enforcement-enabled": "Secure API keys enforcement has been enabled.",
   "header-event-desc": "The event type (e.g., app_versions.INSERT)",
   "header-event-id-desc": "Unique identifier for this event",
-  "header-signature-desc": "HMAC-SHA256 signature in format v1={timestamp}.{hex_signature}",
+  "header-signature-desc": "Standard Webhooks HMAC-SHA256 signature in format v1,{base64_signature}",
   "header-timestamp-desc": "Unix timestamp when the request was sent",
   "here": "here",
   "history": "History",
@@ -1726,7 +1726,8 @@
   "signature-example-title": "Node.js verification example:",
   "signature-verification-intro": "Each webhook request includes headers for signature verification:",
   "signing-secret": "Signing Secret",
-  "signing-secret-hint": "Use this secret to verify webhook signatures. The signature is sent in the X-Capgo-Signature header.",
+  "signing-secret-hint": "Use this secret to verify webhook signatures for the selected delivery version.",
+  "signing-secret-unavailable": "Signing secrets are only shown when a webhook is created.",
   "size": "Size",
   "size-not-found": "Not found",
   "something-went-wrong-try-again-later": "Something went wrong! Try again later.",
@@ -1922,6 +1923,7 @@
   "webhook-created": "Webhook created successfully",
   "webhook-delete-failed": "Failed to delete webhook",
   "webhook-deleted": "Webhook deleted successfully",
+  "webhook-delivery-version": "Delivery version",
   "webhook-disabled": "Webhook disabled",
   "webhook-enabled": "Webhook enabled",
   "webhook-events": "Events",
@@ -1938,6 +1940,10 @@
   "webhook-url-https-required": "Webhook URL must use HTTPS",
   "webhook-url-invalid": "Please enter a valid URL",
   "webhook-url-placeholder": "https://example.com/webhook",
+  "webhook-version-legacy": "Compatible (legacy)",
+  "webhook-version-legacy-hint": "Keeps the existing Capgo payload and X-Capgo headers for current integrations.",
+  "webhook-version-standard": "Standard Webhooks",
+  "webhook-version-standard-hint": "Adds Standard Webhooks payload type and webhook-* signature headers.",
   "webhooks": "Webhooks",
   "webhooks-description": "Configure webhooks to receive HTTP notifications when events occur in your organization.",
   "welcome-to": "Welcome to",
@@ -1964,6 +1970,7 @@
   "latest-snapshot": "Latest snapshot",
   "latest-day-in-selected-period": "Latest day in selected period",
   "latest-day-in-selected-period-help": "{count} devices were on {version} on {date}.",
+  "legacy-header-signature-desc": "Capgo HMAC-SHA256 signature in format v1={timestamp}.{hex_signature}",
   "selected-period": "Selected period",
   "start-of-selected-period": "Start of selected period",
   "start-of-selected-period-help": "{count} devices were on {version} on {date}.",
diff --git a/src/auto-imports.d.ts b/src/auto-imports.d.ts
index 761981b09b..6bc0425563 100644
--- a/src/auto-imports.d.ts
+++ b/src/auto-imports.d.ts
@@ -346,7 +346,7 @@ declare global {
   export type { PasswordPolicyConfig, Organization, OrganizationRole, ExtendedOrganizationMember, ExtendedOrganizationMembers } from './stores/organization'
   import('./stores/organization')
   // @ts-ignore
-  export type { DeliveryPagination, TestResult } from './stores/webhooks'
+  export type { DeliveryPagination, TestResult, Webhook, WebhookDeliveryVersion } from './stores/webhooks'
   import('./stores/webhooks')
 }
 
diff --git a/src/components/WebhookDeliveryLog.vue b/src/components/WebhookDeliveryLog.vue
index de649914c2..2479f99c4f 100644
--- a/src/components/WebhookDeliveryLog.vue
+++ b/src/components/WebhookDeliveryLog.vue
@@ -1,4 +1,5 @@
 <script setup lang="ts">
+import type { Webhook } from '~/stores/webhooks'
 import type { Database } from '~/types/supabase.types'
 import { storeToRefs } from 'pinia'
 import { onMounted, ref, watch } from 'vue'
@@ -16,7 +17,7 @@ import Spinner from '~/components/Spinner.vue'
 import { useWebhooksStore } from '~/stores/webhooks'
 
 const props = defineProps<{
-  webhook: Database['public']['Tables']['webhooks']['Row']
+  webhook: Webhook
 }>()
 
 const emit = defineEmits<{
diff --git a/src/components/WebhookForm.vue b/src/components/WebhookForm.vue
index 6f8f570eb4..9c3905b065 100644
--- a/src/components/WebhookForm.vue
+++ b/src/components/WebhookForm.vue
@@ -1,16 +1,16 @@
 <script setup lang="ts">
-import type { Database } from '~/types/supabase.types'
+import type { Webhook, WebhookDeliveryVersion } from '~/stores/webhooks'
 import { computed, onMounted, ref } from 'vue'
 import { useI18n } from 'vue-i18n'
 import IconX from '~icons/heroicons/x-mark'
 import { WEBHOOK_EVENT_TYPES } from '~/stores/webhooks'
 
 const props = defineProps<{
-  webhook: Database['public']['Tables']['webhooks']['Row'] | null
+  webhook: Webhook | null
 }>()
 
 const emit = defineEmits<{
-  (e: 'submit', data: { name: string, url: string, events: string[], enabled: boolean }): void
+  (e: 'submit', data: { name: string, url: string, events: string[], enabled: boolean, deliveryVersion: WebhookDeliveryVersion }): void
   (e: 'close'): void
 }>()
 
@@ -20,7 +20,11 @@ const name = ref('')
 const url = ref('')
 const selectedEvents = ref<string[]>([])
 const enabled = ref(true)
+const deliveryVersion = ref<WebhookDeliveryVersion>('legacy')
 const urlError = ref('')
+const nameInputId = 'webhook-form-name'
+const urlInputId = 'webhook-form-url'
+const deliveryVersionInputId = 'webhook-form-delivery-version'
 
 const isEditing = computed(() => !!props.webhook)
 
@@ -39,6 +43,7 @@ onMounted(() => {
     url.value = props.webhook.url
     selectedEvents.value = [...props.webhook.events]
     enabled.value = props.webhook.enabled
+    deliveryVersion.value = props.webhook.delivery_version === 'standard' ? 'standard' : 'legacy'
   }
 })
 
@@ -81,6 +86,7 @@ function handleSubmit() {
     url: url.value.trim(),
     events: selectedEvents.value,
     enabled: enabled.value,
+    deliveryVersion: deliveryVersion.value,
   })
 }
 
@@ -118,10 +124,11 @@ function handleBackdropClick(event: MouseEvent) {
       <div class="p-4 space-y-4">
         <!-- Name -->
         <div>
-          <label class="block mb-1 text-sm font-medium text-gray-700 dark:text-gray-300">
+          <label :for="nameInputId" class="block mb-1 text-sm font-medium text-gray-700 dark:text-gray-300">
             {{ t('webhook-name') }} <span class="text-red-500">*</span>
           </label>
           <input
+            :id="nameInputId"
             v-model="name"
             type="text"
             class="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-blue-500 dark:bg-gray-700 dark:border-gray-600 dark:text-white"
@@ -131,10 +138,11 @@ function handleBackdropClick(event: MouseEvent) {
 
         <!-- URL -->
         <div>
-          <label class="block mb-1 text-sm font-medium text-gray-700 dark:text-gray-300">
+          <label :for="urlInputId" class="block mb-1 text-sm font-medium text-gray-700 dark:text-gray-300">
             {{ t('webhook-url') }} <span class="text-red-500">*</span>
           </label>
           <input
+            :id="urlInputId"
             v-model="url"
             type="url"
             class="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-blue-500 dark:bg-gray-700 dark:border-gray-600 dark:text-white"
@@ -150,6 +158,28 @@ function handleBackdropClick(event: MouseEvent) {
           </p>
         </div>
 
+        <!-- Delivery Version -->
+        <div>
+          <label :for="deliveryVersionInputId" class="block mb-1 text-sm font-medium text-gray-700 dark:text-gray-300">
+            {{ t('webhook-delivery-version') }}
+          </label>
+          <select
+            :id="deliveryVersionInputId"
+            v-model="deliveryVersion"
+            class="w-full px-3 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-blue-500 dark:bg-gray-700 dark:border-gray-600 dark:text-white"
+          >
+            <option value="legacy">
+              {{ t('webhook-version-legacy') }}
+            </option>
+            <option value="standard">
+              {{ t('webhook-version-standard') }}
+            </option>
+          </select>
+          <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
+            {{ deliveryVersion === 'standard' ? t('webhook-version-standard-hint') : t('webhook-version-legacy-hint') }}
+          </p>
+        </div>
+
         <!-- Events -->
         <div>
           <label class="block mb-2 text-sm font-medium text-gray-700 dark:text-gray-300">
diff --git a/src/pages/settings/organization/Webhooks.vue b/src/pages/settings/organization/Webhooks.vue
index 4b39c08c80..d99eda2836 100644
--- a/src/pages/settings/organization/Webhooks.vue
+++ b/src/pages/settings/organization/Webhooks.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import type { Database } from '~/types/supabase.types'
+import type { Webhook } from '~/stores/webhooks'
 import { computedAsync } from '@vueuse/core'
 import { storeToRefs } from 'pinia'
 import { onMounted, ref, watch } from 'vue'
@@ -35,9 +35,9 @@ const { currentOrganization } = storeToRefs(organizationStore)
 const { webhooks, isLoading } = storeToRefs(webhooksStore)
 
 const showForm = ref(false)
-const editingWebhook = ref<Database['public']['Tables']['webhooks']['Row'] | null>(null)
+const editingWebhook = ref<Webhook | null>(null)
 const showDeliveryLog = ref(false)
-const selectedWebhookForLog = ref<Database['public']['Tables']['webhooks']['Row'] | null>(null)
+const selectedWebhookForLog = ref<Webhook | null>(null)
 const testingWebhookId = ref<string | null>(null)
 const expandedWebhookId = ref<string | null>(null)
 
@@ -66,7 +66,7 @@ function openCreateForm() {
   showForm.value = true
 }
 
-function openEditForm(webhook: Database['public']['Tables']['webhooks']['Row']) {
+function openEditForm(webhook: Webhook) {
   if (!canManageWebhooks.value) {
     toast.error(t('no-permission'))
     return
@@ -75,7 +75,7 @@ function openEditForm(webhook: Database['public']['Tables']['webhooks']['Row'])
   showForm.value = true
 }
 
-async function handleFormSubmit(data: { name: string, url: string, events: string[], enabled: boolean }) {
+async function handleFormSubmit(data: { name: string, url: string, events: string[], enabled: boolean, deliveryVersion: 'legacy' | 'standard' }) {
   if (editingWebhook.value) {
     // When editing, pass all fields including enabled
     const result = await webhooksStore.updateWebhook(editingWebhook.value.id, data)
@@ -101,7 +101,7 @@ async function handleFormSubmit(data: { name: string, url: string, events: strin
   }
 }
 
-async function deleteWebhook(webhook: Database['public']['Tables']['webhooks']['Row']) {
+async function deleteWebhook(webhook: Webhook) {
   if (!canManageWebhooks.value) {
     toast.error(t('no-permission'))
     return
@@ -132,7 +132,7 @@ async function deleteWebhook(webhook: Database['public']['Tables']['webhooks']['
   })
 }
 
-async function testWebhook(webhook: Database['public']['Tables']['webhooks']['Row']) {
+async function testWebhook(webhook: Webhook) {
   if (!canManageWebhooks.value) {
     toast.error(t('no-permission'))
     return
@@ -150,7 +150,7 @@ async function testWebhook(webhook: Database['public']['Tables']['webhooks']['Ro
   }
 }
 
-async function toggleWebhook(webhook: Database['public']['Tables']['webhooks']['Row']) {
+async function toggleWebhook(webhook: Webhook) {
   if (!canManageWebhooks.value) {
     toast.error(t('no-permission'))
     return
@@ -166,7 +166,7 @@ async function toggleWebhook(webhook: Database['public']['Tables']['webhooks']['
   }
 }
 
-function viewDeliveries(webhook: Database['public']['Tables']['webhooks']['Row']) {
+function viewDeliveries(webhook: Webhook) {
   selectedWebhookForLog.value = webhook
   showDeliveryLog.value = true
 }
@@ -202,10 +202,10 @@ async function copySecret(secret: string) {
 
 const signatureVerificationCode = `import crypto from 'crypto'
 
-function verifyWebhookSignature(req, secret) {
-  const signature = req.headers['x-capgo-signature']
-  const timestamp = req.headers['x-capgo-timestamp']
-  const payload = JSON.stringify(req.body)
+function verifyWebhookSignature(rawBody, headers, secret) {
+  const messageId = headers['webhook-id']
+  const timestamp = headers['webhook-timestamp']
+  const signatures = headers['webhook-signature']?.split(' ') ?? []
 
   // Check timestamp to prevent replay attacks (5 min tolerance)
   const currentTime = Math.floor(Date.now() / 1000)
@@ -214,21 +214,66 @@ function verifyWebhookSignature(req, secret) {
   }
 
   // Compute expected signature
-  const signaturePayload = \`\${timestamp}.\${payload}\`
-  const hmac = crypto.createHmac('sha256', secret)
+  const secretBytes = Buffer.from(secret.replace(/^whsec_/, ''), 'base64')
+  const signaturePayload = \`\${messageId}.\${timestamp}.\${rawBody}\`
+  const hmac = crypto.createHmac('sha256', secretBytes)
   hmac.update(signaturePayload)
-  const expectedSignature = \`v1=\${timestamp}.\${hmac.digest('hex')}\`
+  const expectedSignature = \`v1,\${hmac.digest('base64')}\`
 
   // Compare signatures (timing-safe)
-  if (!crypto.timingSafeEqual(
-    Buffer.from(signature),
-    Buffer.from(expectedSignature)
-  )) {
+  const isValid = signatures.some(signature =>
+    signature.length === expectedSignature.length
+    && crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature))
+  )
+
+  if (!isValid) {
+    throw new Error('Invalid webhook signature')
+  }
+
+  return true
+}`
+
+const legacySignatureVerificationCode = `import crypto from 'crypto'
+
+function verifyWebhookSignature(rawBody, headers, secret) {
+  const signature = headers['x-capgo-signature'] ?? headers['X-Capgo-Signature']
+  const match = signature?.match(/^v1=(\\d+)\\.([a-f0-9]{64})$/i)
+
+  if (!match) {
+    throw new Error('Invalid webhook signature format')
+  }
+
+  const [, timestamp, receivedHmac] = match
+
+  // Check timestamp to prevent replay attacks (5 min tolerance)
+  const currentTime = Math.floor(Date.now() / 1000)
+  if (Math.abs(currentTime - parseInt(timestamp)) > 300) {
+    throw new Error('Webhook timestamp too old')
+  }
+
+  const signaturePayload = \`\${timestamp}.\${rawBody}\`
+  const expectedHmac = crypto
+    .createHmac('sha256', secret)
+    .update(signaturePayload)
+    .digest('hex')
+
+  const isValid = receivedHmac.length === expectedHmac.length
+    && crypto.timingSafeEqual(Buffer.from(receivedHmac), Buffer.from(expectedHmac))
+
+  if (!isValid) {
     throw new Error('Invalid webhook signature')
   }
 
   return true
 }`
+
+function getSignatureVerificationCode(webhook: Webhook) {
+  return webhook.delivery_version === 'standard' ? signatureVerificationCode : legacySignatureVerificationCode
+}
+
+function getDeliveryVersionLabel(webhook: Webhook) {
+  return webhook.delivery_version === 'standard' ? t('webhook-version-standard') : t('webhook-version-legacy')
+}
 </script>
 
 <template>
@@ -366,7 +411,7 @@ function verifyWebhookSignature(req, secret) {
                 <h4 class="mb-2 text-sm font-medium text-gray-700 dark:text-gray-300">
                   {{ t('signing-secret') }}
                 </h4>
-                <div class="flex items-center gap-2">
+                <div v-if="webhook.secret" class="flex items-center gap-2">
                   <code class="flex-1 px-3 py-2 font-mono text-sm text-gray-700 truncate bg-gray-100 border border-gray-200 rounded dark:bg-gray-800 dark:border-gray-700 dark:text-gray-300">
                     {{ webhook.secret }}
                   </code>
@@ -378,6 +423,9 @@ function verifyWebhookSignature(req, secret) {
                     <IconClipboard class="w-4 h-4" />
                   </button>
                 </div>
+                <p v-else class="px-3 py-2 text-sm text-gray-600 border border-gray-200 rounded bg-gray-100 dark:bg-gray-800 dark:border-gray-700 dark:text-gray-300">
+                  {{ t('signing-secret-unavailable') }}
+                </p>
                 <p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
                   {{ t('signing-secret-hint') }}
                 </p>
@@ -392,21 +440,28 @@ function verifyWebhookSignature(req, secret) {
                       {{ t('signature-verification-intro') }}
                     </p>
                     <ul class="mb-3 space-y-1 text-xs text-gray-600 list-disc list-inside dark:text-gray-400">
-                      <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">X-Capgo-Signature</code>: {{ t('header-signature-desc') }}</li>
-                      <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">X-Capgo-Timestamp</code>: {{ t('header-timestamp-desc') }}</li>
-                      <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">X-Capgo-Event</code>: {{ t('header-event-desc') }}</li>
-                      <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">X-Capgo-Event-ID</code>: {{ t('header-event-id-desc') }}</li>
+                      <template v-if="webhook.delivery_version === 'standard'">
+                        <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">webhook-signature</code>: {{ t('header-signature-desc') }}</li>
+                        <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">webhook-timestamp</code>: {{ t('header-timestamp-desc') }}</li>
+                        <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">webhook-id</code>: {{ t('header-event-id-desc') }}</li>
+                      </template>
+                      <template v-else>
+                        <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">X-Capgo-Signature</code>: {{ t('legacy-header-signature-desc') }}</li>
+                        <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">X-Capgo-Timestamp</code>: {{ t('header-timestamp-desc') }}</li>
+                        <li><code class="px-1 bg-gray-200 rounded dark:bg-gray-700">X-Capgo-Event-ID</code>: {{ t('header-event-id-desc') }}</li>
+                      </template>
                     </ul>
                     <p class="mb-2 text-xs font-medium text-gray-700 dark:text-gray-300">
                       {{ t('signature-example-title') }}
                     </p>
-                    <pre class="p-3 overflow-x-auto text-xs text-gray-100 bg-gray-900 rounded"><code>{{ signatureVerificationCode }}</code></pre>
+                    <pre class="p-3 overflow-x-auto text-xs text-gray-100 bg-gray-900 rounded"><code>{{ getSignatureVerificationCode(webhook) }}</code></pre>
                   </div>
                 </details>
               </div>
 
               <!-- Metadata -->
               <div class="mb-4 text-sm text-gray-500 dark:text-gray-400">
+                <p>{{ t('webhook-delivery-version') }}: {{ getDeliveryVersionLabel(webhook) }}</p>
                 <p>{{ t('created-at') }}: {{ formatDate(webhook.created_at) }}</p>
                 <p>{{ t('updated-at') }}: {{ formatDate(webhook.updated_at) }}</p>
               </div>
diff --git a/src/stores/webhooks.ts b/src/stores/webhooks.ts
index 3180693064..1177c79645 100644
--- a/src/stores/webhooks.ts
+++ b/src/stores/webhooks.ts
@@ -21,6 +21,12 @@ export interface TestResult {
   message: string
 }
 
+export type Webhook = Omit<Database['public']['Tables']['webhooks']['Row'], 'secret'> & {
+  secret?: string
+}
+
+export type WebhookDeliveryVersion = 'legacy' | 'standard'
+
 // Supported event types
 export const WEBHOOK_EVENT_TYPES = [
   { value: 'apps', label: 'App Changes', description: 'When apps are created, updated, or deleted' },
@@ -30,12 +36,25 @@ export const WEBHOOK_EVENT_TYPES = [
   { value: 'orgs', label: 'Organization Changes', description: 'When organization settings are updated' },
 ] as const
 
-const DELIVERIES_PER_PAGE = 50
-
 const supabase = useSupabase()
 
+function buildWebhookFunctionPath(path: string, params: Record<string, string | number | undefined>) {
+  const query = new URLSearchParams()
+  Object.entries(params).forEach(([key, value]) => {
+    if (value !== undefined)
+      query.set(key, String(value))
+  })
+
+  const queryString = query.toString()
+  return queryString ? `${path}?${queryString}` : path
+}
+
+function getFunctionErrorMessage(error: { message?: string } | null | undefined, fallback: string) {
+  return error?.message || fallback
+}
+
 export const useWebhooksStore = defineStore('webhooks', () => {
-  const webhooks: Ref<Database['public']['Tables']['webhooks']['Row'][]> = ref([])
+  const webhooks: Ref<Webhook[]> = ref([])
   const deliveries: Ref<Database['public']['Tables']['webhook_deliveries']['Row'][]> = ref([])
   const deliveryPagination: Ref<DeliveryPagination | null> = ref(null)
   const isLoading = ref(false)
@@ -43,7 +62,7 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
   /**
    * Fetch all webhooks for the current organization
-   * Uses direct Supabase SDK - RLS handles permissions
+   * Uses the webhook API so secrets and delivery data never go through direct table access.
    */
   async function fetchWebhooks(): Promise<void> {
     const organizationStore = useOrganizationStore()
@@ -56,18 +75,16 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
     isLoading.value = true
     try {
-      const { data, error } = await supabase
-        .from('webhooks')
-        .select('*')
-        .eq('org_id', orgId)
-        .order('created_at', { ascending: false })
+      const { data, error } = await supabase.functions.invoke(buildWebhookFunctionPath('webhooks', { orgId }), {
+        method: 'GET',
+      })
 
       if (error) {
         console.error('Failed to fetch webhooks:', error)
         return
       }
 
-      webhooks.value = data || []
+      webhooks.value = Array.isArray(data) ? data : []
     }
     catch (err) {
       console.error('Error fetching webhooks:', err)
@@ -79,9 +96,9 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
   /**
    * Get a single webhook
-   * Uses direct Supabase SDK - RLS handles permissions
+   * Uses the webhook API so secrets and delivery data never go through direct table access.
    */
-  async function getWebhook(webhookId: string): Promise<Database['public']['Tables']['webhooks']['Row'] | null> {
+  async function getWebhook(webhookId: string): Promise<Webhook | null> {
     const organizationStore = useOrganizationStore()
     const orgId = organizationStore.currentOrganization?.gid
 
@@ -91,12 +108,9 @@ export const useWebhooksStore = defineStore('webhooks', () => {
     }
 
     try {
-      const { data, error } = await supabase
-        .from('webhooks')
-        .select('*')
-        .eq('id', webhookId)
-        .eq('org_id', orgId)
-        .single()
+      const { data, error } = await supabase.functions.invoke(buildWebhookFunctionPath('webhooks', { orgId, webhookId }), {
+        method: 'GET',
+      })
 
       if (error) {
         console.error('Failed to fetch webhook:', error)
@@ -113,13 +127,14 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
   /**
    * Create a new webhook
-   * Uses direct Supabase SDK - RLS handles permissions
+   * Uses the webhook API so secrets and delivery data never go through direct table access.
    */
   async function createWebhook(webhookData: {
     name: string
     url: string
     events: string[]
-  }): Promise<{ success: boolean, webhook?: Database['public']['Tables']['webhooks']['Row'], error?: string }> {
+    deliveryVersion?: WebhookDeliveryVersion
+  }): Promise<{ success: boolean, webhook?: Webhook, error?: string }> {
     const organizationStore = useOrganizationStore()
     const orgId = organizationStore.currentOrganization?.gid
 
@@ -148,28 +163,28 @@ export const useWebhooksStore = defineStore('webhooks', () => {
     }
 
     try {
-      const { data, error } = await supabase
-        .from('webhooks')
-        .insert({
-          org_id: orgId,
+      const { data, error } = await supabase.functions.invoke('webhooks', {
+        method: 'POST',
+        body: {
+          orgId,
           name: webhookData.name,
           url: webhookData.url,
           events: webhookData.events,
-          enabled: true, // Always enabled on creation
-        })
-        .select()
-        .single()
+          enabled: true,
+          deliveryVersion: webhookData.deliveryVersion ?? 'legacy',
+        },
+      })
 
       if (error) {
-        return { success: false, error: error.message || 'Failed to create webhook' }
+        return { success: false, error: getFunctionErrorMessage(error, 'Failed to create webhook') }
       }
 
       // Add to local list
-      if (data) {
-        webhooks.value.unshift(data)
+      if (data?.webhook) {
+        webhooks.value.unshift(data.webhook)
       }
 
-      return { success: true, webhook: data }
+      return { success: true, webhook: data?.webhook }
     }
     catch (err: any) {
       return { success: false, error: err?.message || 'Error creating webhook' }
@@ -178,7 +193,7 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
   /**
    * Update an existing webhook
-   * Uses direct Supabase SDK - RLS handles permissions
+   * Uses the webhook API so secrets and delivery data never go through direct table access.
    */
   async function updateWebhook(
     webhookId: string,
@@ -187,8 +202,9 @@ export const useWebhooksStore = defineStore('webhooks', () => {
       url: string
       events: string[]
       enabled: boolean
+      deliveryVersion: WebhookDeliveryVersion
     }>,
-  ): Promise<{ success: boolean, webhook?: Database['public']['Tables']['webhooks']['Row'], error?: string }> {
+  ): Promise<{ success: boolean, webhook?: Webhook, error?: string }> {
     const organizationStore = useOrganizationStore()
     const orgId = organizationStore.currentOrganization?.gid
 
@@ -221,27 +237,28 @@ export const useWebhooksStore = defineStore('webhooks', () => {
     }
 
     try {
-      const { data, error } = await supabase
-        .from('webhooks')
-        .update(webhookData)
-        .eq('id', webhookId)
-        .eq('org_id', orgId)
-        .select()
-        .single()
+      const { data, error } = await supabase.functions.invoke('webhooks', {
+        method: 'PUT',
+        body: {
+          orgId,
+          webhookId,
+          ...webhookData,
+        },
+      })
 
       if (error) {
-        return { success: false, error: error.message || 'Failed to update webhook' }
+        return { success: false, error: getFunctionErrorMessage(error, 'Failed to update webhook') }
       }
 
       // Update local list
-      if (data) {
+      if (data?.webhook) {
         const index = webhooks.value.findIndex(w => w.id === webhookId)
         if (index !== -1) {
-          webhooks.value[index] = data
+          webhooks.value[index] = data.webhook
         }
       }
 
-      return { success: true, webhook: data }
+      return { success: true, webhook: data?.webhook }
     }
     catch (err: any) {
       return { success: false, error: err?.message || 'Error updating webhook' }
@@ -250,7 +267,7 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
   /**
    * Delete a webhook
-   * Uses direct Supabase SDK - RLS handles permissions
+   * Uses the webhook API so secrets and delivery data never go through direct table access.
    */
   async function deleteWebhook(webhookId: string): Promise<{ success: boolean, error?: string }> {
     const organizationStore = useOrganizationStore()
@@ -261,14 +278,13 @@ export const useWebhooksStore = defineStore('webhooks', () => {
     }
 
     try {
-      const { error } = await supabase
-        .from('webhooks')
-        .delete()
-        .eq('id', webhookId)
-        .eq('org_id', orgId)
+      const { error } = await supabase.functions.invoke('webhooks', {
+        method: 'DELETE',
+        body: { orgId, webhookId },
+      })
 
       if (error) {
-        return { success: false, error: error.message || 'Failed to delete webhook' }
+        return { success: false, error: getFunctionErrorMessage(error, 'Failed to delete webhook') }
       }
 
       // Remove from local list
@@ -312,7 +328,7 @@ export const useWebhooksStore = defineStore('webhooks', () => {
           duration_ms: null,
           response_preview: null,
           delivery_id: '',
-          message: error.message || 'Failed to test webhook',
+          message: getFunctionErrorMessage(error, 'Failed to test webhook'),
         }
       }
 
@@ -332,7 +348,7 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
   /**
    * Fetch deliveries for a webhook
-   * Uses direct Supabase SDK - RLS handles permissions
+   * Uses the webhook API so secrets and delivery data never go through direct table access.
    */
   async function fetchDeliveries(webhookId: string, page = 0, status?: string): Promise<void> {
     const organizationStore = useOrganizationStore()
@@ -345,35 +361,22 @@ export const useWebhooksStore = defineStore('webhooks', () => {
 
     isLoadingDeliveries.value = true
     try {
-      const from = page * DELIVERIES_PER_PAGE
-      const to = (page + 1) * DELIVERIES_PER_PAGE - 1
-
-      let query = supabase
-        .from('webhook_deliveries')
-        .select('*', { count: 'exact' })
-        .eq('webhook_id', webhookId)
-        .eq('org_id', orgId)
-
-      if (status) {
-        query = query.eq('status', status)
-      }
-
-      query = query.order('created_at', { ascending: false }).range(from, to)
-
-      const { data, error, count } = await query
+      const { data, error } = await supabase.functions.invoke(buildWebhookFunctionPath('webhooks/deliveries', {
+        orgId,
+        webhookId,
+        page,
+        status,
+      }), {
+        method: 'GET',
+      })
 
       if (error) {
         console.error('Failed to fetch deliveries:', error)
         return
       }
 
-      deliveries.value = data || []
-      deliveryPagination.value = {
-        page,
-        per_page: DELIVERIES_PER_PAGE,
-        total: count ?? 0,
-        has_more: (data?.length ?? 0) === DELIVERIES_PER_PAGE,
-      }
+      deliveries.value = data?.deliveries || []
+      deliveryPagination.value = data?.pagination || null
     }
     catch (err) {
       console.error('Error fetching deliveries:', err)
@@ -401,7 +404,7 @@ export const useWebhooksStore = defineStore('webhooks', () => {
       })
 
       if (error) {
-        return { success: false, error: error.message || 'Failed to retry delivery' }
+        return { success: false, error: getFunctionErrorMessage(error, 'Failed to retry delivery') }
       }
 
       // Update local delivery status
diff --git a/src/types/supabase.types.ts b/src/types/supabase.types.ts
index 9aa3980ebb..1396aef74e 100644
--- a/src/types/supabase.types.ts
+++ b/src/types/supabase.types.ts
@@ -2764,6 +2764,7 @@ export type Database = {
           audit_log_id: number | null
           completed_at: string | null
           created_at: string
+          delivery_version: string
           duration_ms: number | null
           event_type: string
           id: string
@@ -2782,6 +2783,7 @@ export type Database = {
           audit_log_id?: number | null
           completed_at?: string | null
           created_at?: string
+          delivery_version?: string
           duration_ms?: number | null
           event_type: string
           id?: string
@@ -2800,6 +2802,7 @@ export type Database = {
           audit_log_id?: number | null
           completed_at?: string | null
           created_at?: string
+          delivery_version?: string
           duration_ms?: number | null
           event_type?: string
           id?: string
@@ -2834,6 +2837,7 @@ export type Database = {
         Row: {
           created_at: string
           created_by: string | null
+          delivery_version: string
           enabled: boolean
           events: string[]
           id: string
@@ -2846,6 +2850,7 @@ export type Database = {
         Insert: {
           created_at?: string
           created_by?: string | null
+          delivery_version?: string
           enabled?: boolean
           events: string[]
           id?: string
@@ -2858,6 +2863,7 @@ export type Database = {
         Update: {
           created_at?: string
           created_by?: string | null
+          delivery_version?: string
           enabled?: boolean
           events?: string[]
           id?: string
diff --git a/supabase/functions/_backend/public/webhooks/delete.ts b/supabase/functions/_backend/public/webhooks/delete.ts
index 90584f6d58..2ea07bf77f 100644
--- a/supabase/functions/_backend/public/webhooks/delete.ts
+++ b/supabase/functions/_backend/public/webhooks/delete.ts
@@ -1,31 +1,29 @@
 import type { Context } from 'hono'
-import type { Database } from '../../utils/supabase.types.ts'
+import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../../utils/ark_validation.ts'
 import { simpleError } from '../../utils/hono.ts'
-import { supabaseApikey } from '../../utils/supabase.ts'
-import { checkWebhookPermission } from './index.ts'
+import { supabaseAdmin } from '../../utils/supabase.ts'
+import { checkWebhookPermissionV2 } from './index.ts'
 
 const bodySchema = type({
   orgId: 'string',
   webhookId: 'string',
 })
 
-export async function deleteWebhook(c: Context, bodyRaw: any, apikey: Database['public']['Tables']['apikeys']['Row']): Promise<Response> {
+export async function deleteWebhook(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw: any, auth: AuthInfo): Promise<Response> {
   const bodyParsed = safeParseSchema(bodySchema, bodyRaw)
   if (!bodyParsed.success) {
     throw simpleError('invalid_body', 'Invalid body', { error: bodyParsed.error })
   }
   const body = bodyParsed.data
 
-  await checkWebhookPermission(c, body.orgId, apikey)
+  await checkWebhookPermissionV2(c, body.orgId, auth)
 
-  // Use authenticated client - RLS will enforce access
-  const supabase = supabaseApikey(c, c.get('capgkey') as string)
+  const supabase = supabaseAdmin(c)
 
   // Verify webhook belongs to org
-  // Note: Using type assertion as webhooks table types are not yet generated
-  const { data: existingWebhook, error: fetchError } = await (supabase as any)
+  const { data: existingWebhook, error: fetchError } = await supabase
     .from('webhooks')
     .select('id, org_id')
     .eq('id', body.webhookId)
@@ -40,7 +38,7 @@ export async function deleteWebhook(c: Context, bodyRaw: any, apikey: Database['
   }
 
   // Delete webhook (cascade will delete deliveries)
-  const { error } = await (supabase as any)
+  const { error } = await supabase
     .from('webhooks')
     .delete()
     .eq('id', body.webhookId)
diff --git a/supabase/functions/_backend/public/webhooks/deliveries.ts b/supabase/functions/_backend/public/webhooks/deliveries.ts
index f4c0673eb9..793e693326 100644
--- a/supabase/functions/_backend/public/webhooks/deliveries.ts
+++ b/supabase/functions/_backend/public/webhooks/deliveries.ts
@@ -1,20 +1,18 @@
 import type { Context } from 'hono'
 import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
-import type { Database } from '../../utils/supabase.types.ts'
-import type {
-  WebhookPayload,
-} from '../../utils/webhook.ts'
+import type { WebhookDeliveryPayload } from '../../utils/webhook.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../../utils/ark_validation.ts'
 import { simpleError } from '../../utils/hono.ts'
-import { supabaseApikey, supabaseWithAuth } from '../../utils/supabase.ts'
+import { supabaseAdmin } from '../../utils/supabase.ts'
 import {
   getDeliveryById,
   getWebhookById,
+  getWebhookLogUrlMetadata,
   getWebhookPublicUrlValidationError,
   queueWebhookDelivery,
 } from '../../utils/webhook.ts'
-import { checkWebhookPermission, checkWebhookPermissionV2 } from './index.ts'
+import { checkWebhookPermissionV2 } from './index.ts'
 
 const getDeliveriesSchema = type({
   'orgId': 'string',
@@ -30,20 +28,19 @@ const retryDeliverySchema = type({
 
 const DELIVERIES_PER_PAGE = 50
 
-export async function getDeliveries(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw: any, apikey: Database['public']['Tables']['apikeys']['Row']): Promise<Response> {
+export async function getDeliveries(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw: any, auth: AuthInfo): Promise<Response> {
   const bodyParsed = safeParseSchema(getDeliveriesSchema, bodyRaw)
   if (!bodyParsed.success) {
     throw simpleError('invalid_body', 'Invalid body', { error: bodyParsed.error })
   }
   const body = bodyParsed.data
 
-  await checkWebhookPermission(c, body.orgId, apikey)
+  await checkWebhookPermissionV2(c, body.orgId, auth)
 
-  // Use authenticated client - RLS will enforce access
-  const supabase = supabaseApikey(c, c.get('capgkey') as string)
+  // Direct RLS access to webhook tables is intentionally denied; use service-role only after explicit permission checks.
+  const supabase = supabaseAdmin(c)
 
   // Verify webhook belongs to org
-  // Note: Using type assertion as webhooks table types are not yet generated
   const { data: webhook, error: webhookError } = await supabase
     .from('webhooks')
     .select('id, org_id')
@@ -116,8 +113,7 @@ export async function retryDelivery(c: Context<MiddlewareKeyVariables, any, any>
 
   await checkWebhookPermissionV2(c, body.orgId, auth)
 
-  // Use authenticated client for data queries - RLS will enforce access
-  const supabase = supabaseWithAuth(c, auth)
+  const supabase = supabaseAdmin(c)
 
   // Get delivery
   const delivery = await getDeliveryById(c, body.deliveryId)
@@ -129,9 +125,12 @@ export async function retryDelivery(c: Context<MiddlewareKeyVariables, any, any>
     throw simpleError('no_permission', 'Delivery does not belong to this organization', { deliveryId: body.deliveryId })
   }
 
-  // Can only retry failed deliveries
-  if (delivery.status === 'success') {
-    throw simpleError('already_successful', 'Delivery was already successful', { deliveryId: body.deliveryId })
+  // Can only retry failed deliveries. Pending deliveries are already queued or in flight.
+  if (delivery.status !== 'failed') {
+    throw simpleError('delivery_not_failed', 'Only failed deliveries can be retried', {
+      deliveryId: body.deliveryId,
+      status: delivery.status,
+    })
   }
 
   // Get webhook for URL
@@ -146,10 +145,10 @@ export async function retryDelivery(c: Context<MiddlewareKeyVariables, any, any>
 
   const urlError = await getWebhookPublicUrlValidationError(c, webhook.url)
   if (urlError)
-    throw simpleError('invalid_url', urlError, { url: webhook.url })
+    throw simpleError('invalid_url', urlError, { urlInfo: getWebhookLogUrlMetadata(webhook.url) })
 
   // Reset delivery status and queue for retry
-  await supabase
+  const { error: updateError } = await supabase
     .from('webhook_deliveries')
     .update({
       status: 'pending',
@@ -162,13 +161,20 @@ export async function retryDelivery(c: Context<MiddlewareKeyVariables, any, any>
     })
     .eq('id', body.deliveryId)
 
+  if (updateError) {
+    throw simpleError('cannot_reset_delivery', 'Cannot reset delivery for retry', {
+      deliveryId: body.deliveryId,
+      error: updateError,
+    })
+  }
+
   // Queue for immediate delivery
   await queueWebhookDelivery(
     c,
     delivery.id,
     webhook.id,
     webhook.url,
-    delivery.request_payload as any as WebhookPayload,
+    delivery.request_payload as WebhookDeliveryPayload,
   )
 
   return c.json({
diff --git a/supabase/functions/_backend/public/webhooks/get.ts b/supabase/functions/_backend/public/webhooks/get.ts
index 1a18bf8de7..d4efcab9af 100644
--- a/supabase/functions/_backend/public/webhooks/get.ts
+++ b/supabase/functions/_backend/public/webhooks/get.ts
@@ -1,50 +1,35 @@
 import type { Context } from 'hono'
-import type { Database } from '../../utils/supabase.types.ts'
+import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../../utils/ark_validation.ts'
 import { simpleError } from '../../utils/hono.ts'
-import { supabaseApikey } from '../../utils/supabase.ts'
+import { supabaseAdmin } from '../../utils/supabase.ts'
 import { fetchLimit } from '../../utils/utils.ts'
-import { checkWebhookPermission } from './index.ts'
+import { checkWebhookPermissionV2 } from './index.ts'
+import { webhookPublicSchema, webhookPublicSelect, webhooksPublicSchema } from './response.ts'
 
 const bodySchema = type({
   'orgId': 'string',
   'webhookId?': 'string',
-  'page?': 'number',
+  'page?': 'number | string.numeric.parse',
 })
 
-const webhookSchema = type({
-  id: 'string',
-  org_id: 'string',
-  name: 'string',
-  url: 'string',
-  enabled: 'boolean',
-  events: 'string[]',
-  created_at: 'string',
-  updated_at: 'string',
-  created_by: 'string | null',
-})
-
-const webhooksSchema = webhookSchema.array()
-
-export async function get(c: Context, bodyRaw: any, apikey: Database['public']['Tables']['apikeys']['Row']): Promise<Response> {
+export async function get(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw: any, auth: AuthInfo): Promise<Response> {
   const bodyParsed = safeParseSchema(bodySchema, bodyRaw)
   if (!bodyParsed.success) {
     throw simpleError('invalid_body', 'Invalid body', { error: bodyParsed.error })
   }
   const body = bodyParsed.data
 
-  await checkWebhookPermission(c, body.orgId, apikey)
-
-  // Use authenticated client - RLS will enforce access
-  const supabase = supabaseApikey(c, c.get('capgkey') as string)
+  await checkWebhookPermissionV2(c, body.orgId, auth)
+  // Direct RLS access to webhook tables is intentionally denied; use service-role only after explicit permission checks.
+  const supabase = supabaseAdmin(c)
 
   // Get single webhook
-  // Note: Using type assertion as webhooks table types are not yet generated
   if (body.webhookId) {
-    const { data, error } = await (supabase as any)
+    const { data, error } = await supabase
       .from('webhooks')
-      .select('*')
+      .select(webhookPublicSelect)
       .eq('id', body.webhookId)
       .eq('org_id', body.orgId)
       .single()
@@ -53,13 +38,13 @@ export async function get(c: Context, bodyRaw: any, apikey: Database['public']['
       throw simpleError('webhook_not_found', 'Webhook not found', { error })
     }
 
-    const dataParsed = safeParseSchema(webhookSchema, data)
+    const dataParsed = safeParseSchema(webhookPublicSchema, data)
     if (!dataParsed.success) {
       throw simpleError('cannot_parse_webhook', 'Cannot parse webhook', { error: dataParsed.error })
     }
 
     // Get recent delivery stats for this webhook
-    const { data: stats } = await (supabase as any)
+    const { data: stats } = await supabase
       .from('webhook_deliveries')
       .select('status', { count: 'exact' })
       .eq('webhook_id', body.webhookId)
@@ -84,9 +69,9 @@ export async function get(c: Context, bodyRaw: any, apikey: Database['public']['
   const from = fetchOffset * fetchLimit
   const to = (fetchOffset + 1) * fetchLimit - 1
 
-  const { data, error } = await (supabase as any)
+  const { data, error } = await supabase
     .from('webhooks')
-    .select('*')
+    .select(webhookPublicSelect)
     .eq('org_id', body.orgId)
     .order('created_at', { ascending: false })
     .range(from, to)
@@ -95,7 +80,7 @@ export async function get(c: Context, bodyRaw: any, apikey: Database['public']['
     throw simpleError('cannot_get_webhooks', 'Cannot get webhooks', { error })
   }
 
-  const dataParsed = safeParseSchema(webhooksSchema, data)
+  const dataParsed = safeParseSchema(webhooksPublicSchema, data)
   if (!dataParsed.success) {
     throw simpleError('cannot_parse_webhooks', 'Cannot parse webhooks', { error: dataParsed.error })
   }
diff --git a/supabase/functions/_backend/public/webhooks/index.ts b/supabase/functions/_backend/public/webhooks/index.ts
index 0b9ef46c8f..f8d9f7b439 100644
--- a/supabase/functions/_backend/public/webhooks/index.ts
+++ b/supabase/functions/_backend/public/webhooks/index.ts
@@ -2,7 +2,7 @@ import type { Context } from 'hono'
 import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import type { Database } from '../../utils/supabase.types.ts'
 import { getBodyOrQuery, honoFactory, quickError, simpleError } from '../../utils/hono.ts'
-import { middlewareKey, middlewareV2 } from '../../utils/hono_middleware.ts'
+import { middlewareV2 } from '../../utils/hono_middleware.ts'
 import { apikeyHasOrgRight, apikeyHasOrgRightWithPolicy, hasOrgRight, hasOrgRightApikey, supabaseApikey } from '../../utils/supabase.ts'
 import { deleteWebhook } from './delete.ts'
 import { getDeliveries, retryDelivery } from './deliveries.ts'
@@ -114,31 +114,31 @@ export async function checkWebhookPermissionV2(
 }
 
 // List all webhooks for org
-app.get('/', middlewareKey(['all', 'write']), async (c) => {
+app.get('/', middlewareV2(['all', 'write']), async (c) => {
   const body = await getBodyOrQuery<any>(c)
-  const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
-  return get(c, body, apikey)
+  const auth = c.get('auth') as AuthInfo
+  return get(c, body, auth)
 })
 
 // Create webhook
-app.post('/', middlewareKey(['all', 'write']), async (c) => {
+app.post('/', middlewareV2(['all', 'write']), async (c) => {
   const body = await getBodyOrQuery<any>(c)
-  const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
-  return post(c, body, apikey)
+  const auth = c.get('auth') as AuthInfo
+  return post(c, body, auth)
 })
 
 // Update webhook
-app.put('/', middlewareKey(['all', 'write']), async (c) => {
+app.put('/', middlewareV2(['all', 'write']), async (c) => {
   const body = await getBodyOrQuery<any>(c)
-  const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
-  return put(c, body, apikey)
+  const auth = c.get('auth') as AuthInfo
+  return put(c, body, auth)
 })
 
 // Delete webhook
-app.delete('/', middlewareKey(['all', 'write']), async (c) => {
+app.delete('/', middlewareV2(['all', 'write']), async (c) => {
   const body = await getBodyOrQuery<any>(c)
-  const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
-  return deleteWebhook(c, body, apikey)
+  const auth = c.get('auth') as AuthInfo
+  return deleteWebhook(c, body, auth)
 })
 
 // Test webhook (supports both JWT and API key auth)
@@ -149,10 +149,10 @@ app.post('/test', middlewareV2(['all', 'write']), async (c) => {
 })
 
 // Get webhook deliveries
-app.get('/deliveries', middlewareKey(['all', 'write']), async (c) => {
+app.get('/deliveries', middlewareV2(['all', 'write']), async (c) => {
   const body = await getBodyOrQuery<any>(c)
-  const apikey = c.get('apikey') as Database['public']['Tables']['apikeys']['Row']
-  return getDeliveries(c, body, apikey)
+  const auth = c.get('auth') as AuthInfo
+  return getDeliveries(c, body, auth)
 })
 
 // Retry a failed delivery (supports both JWT and API key auth)
diff --git a/supabase/functions/_backend/public/webhooks/post.ts b/supabase/functions/_backend/public/webhooks/post.ts
index 0522d49f68..0175657aca 100644
--- a/supabase/functions/_backend/public/webhooks/post.ts
+++ b/supabase/functions/_backend/public/webhooks/post.ts
@@ -1,11 +1,12 @@
 import type { Context } from 'hono'
-import type { Database } from '../../utils/supabase.types.ts'
+import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../../utils/ark_validation.ts'
 import { simpleError } from '../../utils/hono.ts'
-import { supabaseApikey } from '../../utils/supabase.ts'
-import { getWebhookPublicUrlValidationError, WEBHOOK_EVENT_TYPES } from '../../utils/webhook.ts'
-import { checkWebhookPermission } from './index.ts'
+import { supabaseAdmin } from '../../utils/supabase.ts'
+import { getWebhookLogUrlMetadata, getWebhookPublicUrlValidationError, parseWebhookDeliveryVersion, WEBHOOK_EVENT_TYPES } from '../../utils/webhook.ts'
+import { checkWebhookPermissionV2 } from './index.ts'
+import { webhookCreatedSelect } from './response.ts'
 
 const bodySchema = type({
   'orgId': 'string',
@@ -13,16 +14,25 @@ const bodySchema = type({
   'url': 'string.url',
   'events': 'string[] > 0',
   'enabled?': 'boolean',
+  'deliveryVersion?': 'string',
+  'delivery_version?': 'string',
 })
 
-export async function post(c: Context, bodyRaw: any, apikey: Database['public']['Tables']['apikeys']['Row']): Promise<Response> {
+export async function post(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw: any, auth: AuthInfo): Promise<Response> {
   const bodyParsed = safeParseSchema(bodySchema, bodyRaw)
   if (!bodyParsed.success) {
     throw simpleError('invalid_body', 'Invalid body', { error: bodyParsed.error })
   }
   const body = bodyParsed.data
 
-  await checkWebhookPermission(c, body.orgId, apikey)
+  await checkWebhookPermissionV2(c, body.orgId, auth)
+
+  const deliveryVersion = parseWebhookDeliveryVersion(body.deliveryVersion ?? body.delivery_version ?? 'legacy')
+  if (!deliveryVersion) {
+    throw simpleError('invalid_delivery_version', 'Invalid webhook delivery version', {
+      allowed: ['legacy', 'standard'],
+    })
+  }
 
   // Validate events are allowed
   const invalidEvents = body.events.filter(e => !WEBHOOK_EVENT_TYPES.includes(e as any))
@@ -35,12 +45,10 @@ export async function post(c: Context, bodyRaw: any, apikey: Database['public'][
 
   const urlError = await getWebhookPublicUrlValidationError(c, body.url)
   if (urlError)
-    throw simpleError('invalid_url', urlError, { url: body.url })
+    throw simpleError('invalid_url', urlError, { urlInfo: getWebhookLogUrlMetadata(body.url) })
 
-  // Create webhook using authenticated client - RLS will enforce access
-  // Note: Using type assertion as webhooks table types are not yet generated
-  const supabase = supabaseApikey(c, c.get('capgkey') as string)
-  const { data, error } = await (supabase as any)
+  // Direct RLS access to webhook tables is intentionally denied; use service-role only after explicit permission checks.
+  const { data, error } = await supabaseAdmin(c)
     .from('webhooks')
     .insert({
       org_id: body.orgId,
@@ -48,9 +56,11 @@ export async function post(c: Context, bodyRaw: any, apikey: Database['public'][
       url: body.url,
       events: body.events,
       enabled: body.enabled ?? true,
-      created_by: apikey.user_id,
+      delivery_version: deliveryVersion,
+      created_by: auth.userId,
     })
-    .select()
+    // Return the secret once on creation so admins can store it; read/update endpoints never expose it.
+    .select(webhookCreatedSelect)
     .single()
 
   if (error) {
diff --git a/supabase/functions/_backend/public/webhooks/put.ts b/supabase/functions/_backend/public/webhooks/put.ts
index b9a634eb8d..1483334743 100644
--- a/supabase/functions/_backend/public/webhooks/put.ts
+++ b/supabase/functions/_backend/public/webhooks/put.ts
@@ -1,11 +1,14 @@
 import type { Context } from 'hono'
+import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import type { Database } from '../../utils/supabase.types.ts'
+import type { WebhookDeliveryVersion } from '../../utils/webhook.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../../utils/ark_validation.ts'
 import { simpleError } from '../../utils/hono.ts'
-import { supabaseApikey } from '../../utils/supabase.ts'
-import { getWebhookPublicUrlValidationError, WEBHOOK_EVENT_TYPES } from '../../utils/webhook.ts'
-import { checkWebhookPermission } from './index.ts'
+import { supabaseAdmin } from '../../utils/supabase.ts'
+import { getWebhookLogUrlMetadata, getWebhookPublicUrlValidationError, parseWebhookDeliveryVersion, WEBHOOK_EVENT_TYPES } from '../../utils/webhook.ts'
+import { checkWebhookPermissionV2 } from './index.ts'
+import { webhookPublicSelect } from './response.ts'
 
 const bodySchema = type({
   'orgId': 'string',
@@ -14,23 +17,91 @@ const bodySchema = type({
   'url?': 'string.url',
   'events?': 'string[] > 0',
   'enabled?': 'boolean',
+  'deliveryVersion?': 'string',
+  'delivery_version?': 'string',
 })
 
-export async function put(c: Context, bodyRaw: any, apikey: Database['public']['Tables']['apikeys']['Row']): Promise<Response> {
+interface PutWebhookBody {
+  orgId: string
+  webhookId: string
+  name?: string
+  url?: string
+  events?: string[]
+  enabled?: boolean
+  deliveryVersion?: string
+  delivery_version?: string
+}
+
+function parseRequestedDeliveryVersion(requestedDeliveryVersion: string | undefined): WebhookDeliveryVersion | undefined {
+  if (requestedDeliveryVersion === undefined)
+    return undefined
+
+  const deliveryVersion = parseWebhookDeliveryVersion(requestedDeliveryVersion)
+  if (!deliveryVersion) {
+    throw simpleError('invalid_delivery_version', 'Invalid webhook delivery version', {
+      allowed: ['legacy', 'standard'],
+    })
+  }
+
+  return deliveryVersion
+}
+
+function validateEvents(events: string[] | undefined): void {
+  if (!events)
+    return
+
+  const invalidEvents = events.filter(e => !WEBHOOK_EVENT_TYPES.includes(e as any))
+  if (invalidEvents.length > 0) {
+    throw simpleError('invalid_events', 'Invalid event types', {
+      invalid: invalidEvents,
+      allowed: WEBHOOK_EVENT_TYPES,
+    })
+  }
+}
+
+async function validateWebhookUrl(c: Context<MiddlewareKeyVariables, any, any>, url: string | undefined): Promise<void> {
+  if (!url)
+    return
+
+  const urlError = await getWebhookPublicUrlValidationError(c, url)
+  if (urlError)
+    throw simpleError('invalid_url', urlError, { urlInfo: getWebhookLogUrlMetadata(url) })
+}
+
+function buildWebhookUpdateData(
+  body: PutWebhookBody,
+  deliveryVersion: WebhookDeliveryVersion | undefined,
+): Database['public']['Tables']['webhooks']['Update'] {
+  const updateData: Database['public']['Tables']['webhooks']['Update'] = {}
+  if (body.name !== undefined)
+    updateData.name = body.name
+  if (body.url !== undefined)
+    updateData.url = body.url
+  if (body.events !== undefined)
+    updateData.events = body.events
+  if (body.enabled !== undefined)
+    updateData.enabled = body.enabled
+  if (deliveryVersion !== undefined)
+    updateData.delivery_version = deliveryVersion
+
+  return updateData
+}
+
+export async function put(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw: any, auth: AuthInfo): Promise<Response> {
   const bodyParsed = safeParseSchema(bodySchema, bodyRaw)
   if (!bodyParsed.success) {
     throw simpleError('invalid_body', 'Invalid body', { error: bodyParsed.error })
   }
-  const body = bodyParsed.data
+  const body = bodyParsed.data as PutWebhookBody
 
-  await checkWebhookPermission(c, body.orgId, apikey)
+  await checkWebhookPermissionV2(c, body.orgId, auth)
+  const deliveryVersion = parseRequestedDeliveryVersion(body.deliveryVersion ?? body.delivery_version)
 
-  // Use authenticated client - RLS will enforce access
-  const supabase = supabaseApikey(c, c.get('capgkey') as string)
+  // Direct RLS access to webhook tables is intentionally denied; use service-role only after explicit permission checks.
+  const supabase = supabaseAdmin(c)
 
   // Verify webhook belongs to org
-  // Note: Using type assertion as webhooks table types are not yet generated
-  const { data: existingWebhook, error: fetchError } = await (supabase as any)
+  const { data: existingWebhook, error: fetchError } = await supabase
     .from('webhooks')
     .select('id, org_id')
     .eq('id', body.webhookId)
@@ -44,45 +115,21 @@ export async function put(c: Context, bodyRaw: any, apikey: Database['public']['
     throw simpleError('no_permission', 'Webhook does not belong to this organization', { webhookId: body.webhookId })
   }
 
-  // Validate events if provided
-  if (body.events) {
-    const invalidEvents = body.events.filter(e => !WEBHOOK_EVENT_TYPES.includes(e as any))
-    if (invalidEvents.length > 0) {
-      throw simpleError('invalid_events', 'Invalid event types', {
-        invalid: invalidEvents,
-        allowed: WEBHOOK_EVENT_TYPES,
-      })
-    }
-  }
-
-  // Validate URL if provided
-  if (body.url) {
-    const urlError = await getWebhookPublicUrlValidationError(c, body.url)
-    if (urlError)
-      throw simpleError('invalid_url', urlError, { url: body.url })
-  }
+  validateEvents(body.events)
+  await validateWebhookUrl(c, body.url)
 
   // Build update object
-  const updateData: Record<string, any> = {}
-  if (body.name !== undefined)
-    updateData.name = body.name
-  if (body.url !== undefined)
-    updateData.url = body.url
-  if (body.events !== undefined)
-    updateData.events = body.events
-  if (body.enabled !== undefined)
-    updateData.enabled = body.enabled
-
+  const updateData = buildWebhookUpdateData(body, deliveryVersion)
   if (Object.keys(updateData).length === 0) {
     throw simpleError('no_updates', 'No fields to update')
   }
 
   // Update webhook
-  const { data, error } = await (supabase as any)
+  const { data, error } = await supabase
     .from('webhooks')
     .update(updateData)
     .eq('id', body.webhookId)
-    .select()
+    .select(webhookPublicSelect)
     .single()
 
   if (error) {
diff --git a/supabase/functions/_backend/public/webhooks/response.ts b/supabase/functions/_backend/public/webhooks/response.ts
new file mode 100644
index 0000000000..312505e0f8
--- /dev/null
+++ b/supabase/functions/_backend/public/webhooks/response.ts
@@ -0,0 +1,19 @@
+import { type } from 'arktype'
+
+export const webhookPublicSelect = 'id, org_id, name, url, enabled, events, delivery_version, created_at, updated_at, created_by'
+export const webhookCreatedSelect = `${webhookPublicSelect}, secret`
+
+export const webhookPublicSchema = type({
+  id: 'string',
+  org_id: 'string',
+  name: 'string',
+  url: 'string',
+  enabled: 'boolean',
+  events: 'string[]',
+  delivery_version: 'string',
+  created_at: 'string',
+  updated_at: 'string',
+  created_by: 'string | null',
+})
+
+export const webhooksPublicSchema = webhookPublicSchema.array()
diff --git a/supabase/functions/_backend/public/webhooks/test.ts b/supabase/functions/_backend/public/webhooks/test.ts
index 072e03d7f3..54ac7228e5 100644
--- a/supabase/functions/_backend/public/webhooks/test.ts
+++ b/supabase/functions/_backend/public/webhooks/test.ts
@@ -3,12 +3,14 @@ import type { AuthInfo, MiddlewareKeyVariables } from '../../utils/hono.ts'
 import { type } from 'arktype'
 import { safeParseSchema } from '../../utils/ark_validation.ts'
 import { simpleError } from '../../utils/hono.ts'
-import { supabaseWithAuth } from '../../utils/supabase.ts'
+import { supabaseAdmin } from '../../utils/supabase.ts'
 import {
   createDeliveryRecord,
   createTestPayload,
   deliverWebhook,
+  getWebhookLogUrlMetadata,
   getWebhookPublicUrlValidationError,
+  normalizeWebhookDeliveryVersion,
   updateDeliveryResult,
 } from '../../utils/webhook.ts'
 import { checkWebhookPermissionV2 } from './index.ts'
@@ -27,12 +29,10 @@ export async function test(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw
 
   await checkWebhookPermissionV2(c, body.orgId, auth)
 
-  // Use authenticated client - RLS will enforce access
-  const supabase = supabaseWithAuth(c, auth)
+  const supabase = supabaseAdmin(c)
 
   // Get webhook
-  // Note: Using type assertion as webhooks table types are not yet generated
-  const { data: webhook, error: fetchError } = await (supabase as any)
+  const { data: webhook, error: fetchError } = await supabase
     .from('webhooks')
     .select('*')
     .eq('id', body.webhookId)
@@ -48,10 +48,11 @@ export async function test(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw
 
   const urlError = await getWebhookPublicUrlValidationError(c, webhook.url)
   if (urlError)
-    throw simpleError('invalid_url', urlError, { url: webhook.url })
+    throw simpleError('invalid_url', urlError, { urlInfo: getWebhookLogUrlMetadata(webhook.url) })
 
   // Create test payload
   const payload = createTestPayload(body.orgId)
+  const deliveryVersion = normalizeWebhookDeliveryVersion(webhook.delivery_version)
 
   // Create delivery record for the test
   const delivery = await createDeliveryRecord(
@@ -61,6 +62,7 @@ export async function test(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw
     null, // No audit_log_id for test events
     'test.ping',
     payload,
+    deliveryVersion,
   )
 
   if (!delivery) {
@@ -68,7 +70,7 @@ export async function test(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw
   }
 
   // Immediately deliver the test webhook (bypass queue)
-  const result = await deliverWebhook(c, delivery.id, webhook.url, payload, webhook.secret)
+  const result = await deliverWebhook(c, delivery.id, webhook.url, payload, webhook.secret, deliveryVersion)
 
   // Update delivery record with result
   await updateDeliveryResult(
@@ -81,11 +83,17 @@ export async function test(c: Context<MiddlewareKeyVariables, any, any>, bodyRaw
   )
 
   // Update attempt count
-  await (supabase as any)
+  const { error: attemptCountError } = await supabase
     .from('webhook_deliveries')
     .update({ attempt_count: 1 })
     .eq('id', delivery.id)
 
+  if (attemptCountError) {
+    throw simpleError('cannot_update_delivery', 'Cannot update delivery attempt count', {
+      deliveryId: delivery.id,
+    })
+  }
+
   return c.json({
     success: result.success,
     status: result.status,
diff --git a/supabase/functions/_backend/triggers/webhook_delivery.ts b/supabase/functions/_backend/triggers/webhook_delivery.ts
index ff10419ef0..7b10ca11ea 100644
--- a/supabase/functions/_backend/triggers/webhook_delivery.ts
+++ b/supabase/functions/_backend/triggers/webhook_delivery.ts
@@ -1,5 +1,5 @@
 import type { MiddlewareKeyVariables } from '../utils/hono.ts'
-import type { WebhookPayload } from '../utils/webhook.ts'
+import type { WebhookDeliveryPayload } from '../utils/webhook.ts'
 import { Hono } from 'hono/tiny'
 import { BRES, middlewareAPISecret } from '../utils/hono.ts'
 import { cloudlog, cloudlogErr, serializeError } from '../utils/logging.ts'
@@ -8,13 +8,17 @@ import { closeClient, getDrizzleClient, getPgClient } from '../utils/pg.ts'
 import { backgroundTask } from '../utils/utils.ts'
 import {
   deliverWebhook,
+  disableWebhook,
   getDeliveryById,
   getWebhookById,
+  getWebhookPayloadEvent,
+  getWebhookPayloadEventId,
   incrementAttemptCount,
   markDeliveryFailed,
+  normalizeWebhookDeliveryVersion,
   queueWebhookDeliveryWithDelay,
+  scheduleRetry,
   updateDeliveryResult,
-
 } from '../utils/webhook.ts'
 
 export const app = new Hono<MiddlewareKeyVariables>()
@@ -23,7 +27,7 @@ interface DeliveryMessage {
   delivery_id: string
   webhook_id: string
   url: string
-  payload: WebhookPayload
+  payload: WebhookDeliveryPayload
 }
 
 /**
@@ -100,6 +104,7 @@ app.post('/', middlewareAPISecret, async (c) => {
 
     // Increment attempt count
     const attemptCount = await incrementAttemptCount(c, deliveryData.delivery_id)
+    const deliveryVersion = normalizeWebhookDeliveryVersion(delivery.delivery_version ?? webhook.delivery_version)
 
     // Attempt delivery with signature
     const result = await deliverWebhook(
@@ -108,6 +113,7 @@ app.post('/', middlewareAPISecret, async (c) => {
       deliveryData.url,
       deliveryData.payload,
       webhook.secret,
+      deliveryVersion,
     )
 
     // Update delivery record with result
@@ -131,12 +137,32 @@ app.post('/', middlewareAPISecret, async (c) => {
       return c.json(BRES)
     }
 
+    // 410 Gone is an explicit opt-out: disable the endpoint and stop retrying.
+    if (result.status === 410) {
+      await markDeliveryFailed(c, deliveryData.delivery_id)
+      await disableWebhook(c, deliveryData.webhook_id)
+
+      cloudlog({
+        requestId: c.get('requestId'),
+        message: 'Webhook endpoint disabled after 410 Gone response',
+        deliveryId: deliveryData.delivery_id,
+        webhookId: deliveryData.webhook_id,
+      })
+
+      return c.json(BRES)
+    }
+
     // Handle failure
-    const maxAttempts = delivery.max_attempts || 3
+    const maxAttempts = delivery.max_attempts || 10
 
     if (attemptCount < maxAttempts) {
-      // Schedule retry with exponential backoff
-      const retryDelaySeconds = 2 ** attemptCount * 60 // 2min, 4min, 8min
+      const retryDelaySeconds = await scheduleRetry(
+        c,
+        deliveryData.delivery_id,
+        attemptCount,
+        result.retryAfter,
+        result.status ?? null,
+      )
 
       cloudlog({
         requestId: c.get('requestId'),
@@ -160,6 +186,7 @@ app.post('/', middlewareAPISecret, async (c) => {
     else {
       // Max retries reached, mark as permanently failed
       await markDeliveryFailed(c, deliveryData.delivery_id)
+      await disableWebhook(c, deliveryData.webhook_id)
 
       cloudlog({
         requestId: c.get('requestId'),
@@ -180,13 +207,13 @@ app.post('/', middlewareAPISecret, async (c) => {
             {
               webhook_name: webhook.name,
               webhook_url: webhook.url,
-              event_type: deliveryData.payload.event,
+              event_type: getWebhookPayloadEvent(deliveryData.payload),
               attempts: attemptCount,
               last_error: result.body?.slice(0, 500) || 'Unknown error',
               delivery_id: deliveryData.delivery_id,
             },
             webhook.org_id,
-            `webhook_failure_${webhook.id}_${deliveryData.payload.event_id}`,
+            `webhook_failure_${webhook.id}_${getWebhookPayloadEventId(deliveryData.payload)}`,
             '0 0 * * *', // Rate limit to once per day per webhook+event
             webhook.orgs.management_email,
             drizzleClient,
diff --git a/supabase/functions/_backend/triggers/webhook_dispatcher.ts b/supabase/functions/_backend/triggers/webhook_dispatcher.ts
index 45e6118cb1..cababb4a1a 100644
--- a/supabase/functions/_backend/triggers/webhook_dispatcher.ts
+++ b/supabase/functions/_backend/triggers/webhook_dispatcher.ts
@@ -5,11 +5,12 @@ import { BRES, middlewareAPISecret } from '../utils/hono.ts'
 import { cloudlog, cloudlogErr, serializeError } from '../utils/logging.ts'
 import { backgroundTask } from '../utils/utils.ts'
 import {
-
+  buildWebhookDeliveryPayload,
   buildWebhookPayload,
   createDeliveryRecord,
   findWebhooksForEvent,
   getWebhookPublicUrlValidationError,
+  normalizeWebhookDeliveryVersion,
   queueWebhookDelivery,
   updateDeliveryResult,
 } from '../utils/webhook.ts'
@@ -80,6 +81,9 @@ app.post('/', middlewareAPISecret, async (c) => {
     // Process each webhook
     await backgroundTask(c, Promise.all(webhooks.map(async (webhook) => {
       try {
+        const deliveryVersion = normalizeWebhookDeliveryVersion(webhook.delivery_version)
+        const deliveryPayload = buildWebhookDeliveryPayload(payload, deliveryVersion)
+
         // Create a delivery record
         const delivery = await createDeliveryRecord(
           c,
@@ -88,6 +92,7 @@ app.post('/', middlewareAPISecret, async (c) => {
           auditLogData.audit_log_id,
           eventType,
           payload,
+          deliveryVersion,
         )
 
         if (!delivery) {
@@ -124,7 +129,7 @@ app.post('/', middlewareAPISecret, async (c) => {
           delivery.id,
           webhook.id,
           webhook.url,
-          payload,
+          deliveryPayload,
         )
 
         cloudlog({
diff --git a/supabase/functions/_backend/utils/supabase.types.ts b/supabase/functions/_backend/utils/supabase.types.ts
index 34083ec86f..ef7625ccb3 100644
--- a/supabase/functions/_backend/utils/supabase.types.ts
+++ b/supabase/functions/_backend/utils/supabase.types.ts
@@ -2773,6 +2773,7 @@ export type Database = {
           audit_log_id: number | null
           completed_at: string | null
           created_at: string
+          delivery_version: string
           duration_ms: number | null
           event_type: string
           id: string
@@ -2791,6 +2792,7 @@ export type Database = {
           audit_log_id?: number | null
           completed_at?: string | null
           created_at?: string
+          delivery_version?: string
           duration_ms?: number | null
           event_type: string
           id?: string
@@ -2809,6 +2811,7 @@ export type Database = {
           audit_log_id?: number | null
           completed_at?: string | null
           created_at?: string
+          delivery_version?: string
           duration_ms?: number | null
           event_type?: string
           id?: string
@@ -2843,6 +2846,7 @@ export type Database = {
         Row: {
           created_at: string
           created_by: string | null
+          delivery_version: string
           enabled: boolean
           events: string[]
           id: string
@@ -2855,6 +2859,7 @@ export type Database = {
         Insert: {
           created_at?: string
           created_by?: string | null
+          delivery_version?: string
           enabled?: boolean
           events: string[]
           id?: string
@@ -2867,6 +2872,7 @@ export type Database = {
         Update: {
           created_at?: string
           created_by?: string | null
+          delivery_version?: string
           enabled?: boolean
           events?: string[]
           id?: string
diff --git a/supabase/functions/_backend/utils/webhook.ts b/supabase/functions/_backend/utils/webhook.ts
index 530a70f0f3..b85f692abf 100644
--- a/supabase/functions/_backend/utils/webhook.ts
+++ b/supabase/functions/_backend/utils/webhook.ts
@@ -7,6 +7,7 @@ import { getEnv } from './utils.ts'
 
 // Webhook payload structure sent to user endpoints
 export interface WebhookPayload {
+  type: string // Standard Webhooks event type
   event: string // e.g., 'app_versions.INSERT'
   event_id: string // Unique event identifier
   timestamp: string // ISO timestamp
@@ -21,6 +22,43 @@ export interface WebhookPayload {
   }
 }
 
+export type LegacyWebhookPayload = Omit<WebhookPayload, 'type'>
+export type WebhookDeliveryPayload = WebhookPayload | LegacyWebhookPayload
+
+export const WEBHOOK_DELIVERY_VERSIONS = ['legacy', 'standard'] as const
+export type WebhookDeliveryVersion = typeof WEBHOOK_DELIVERY_VERSIONS[number]
+
+export function parseWebhookDeliveryVersion(value: unknown): WebhookDeliveryVersion | null {
+  return value === 'legacy' || value === 'standard' ? value : null
+}
+
+export function normalizeWebhookDeliveryVersion(value: unknown): WebhookDeliveryVersion {
+  return parseWebhookDeliveryVersion(value) ?? 'legacy'
+}
+
+export function buildWebhookDeliveryPayload(
+  payload: WebhookDeliveryPayload,
+  deliveryVersion: WebhookDeliveryVersion,
+): WebhookDeliveryPayload {
+  if (deliveryVersion === 'standard') {
+    return {
+      ...payload,
+      type: 'type' in payload ? payload.type : payload.event,
+    }
+  }
+
+  const { type: _type, ...legacyPayload } = payload as WebhookPayload
+  return legacyPayload
+}
+
+export function getWebhookPayloadEvent(payload: WebhookDeliveryPayload): string {
+  return payload.event
+}
+
+export function getWebhookPayloadEventId(payload: WebhookDeliveryPayload): string {
+  return payload.event_id
+}
+
 // Audit log data from the database trigger
 export interface AuditLogData {
   audit_log_id: number
@@ -46,6 +84,48 @@ export const WEBHOOK_EVENT_TYPES = [
 
 export type WebhookEventType = typeof WEBHOOK_EVENT_TYPES[number]
 
+const WEBHOOK_DELIVERY_TIMEOUT_MS = 20000
+const WEBHOOK_RESPONSE_BODY_LIMIT_BYTES = 10000
+const WEBHOOK_MAX_RETRY_AFTER_SECONDS = 24 * 60 * 60
+const WEBHOOK_RETRY_THROTTLE_STATUSES = new Set([429, 502, 504])
+const WEBHOOK_RETRY_DELAYS_SECONDS = [
+  5,
+  5 * 60,
+  30 * 60,
+  2 * 60 * 60,
+  5 * 60 * 60,
+  10 * 60 * 60,
+  14 * 60 * 60,
+  20 * 60 * 60,
+  24 * 60 * 60,
+]
+
+interface WebhookLogUrlMetadata {
+  valid: boolean
+  protocol?: string
+  hostnameLength?: number
+  pathSegmentCount?: number
+  hasQuery?: boolean
+  hasCredentials?: boolean
+}
+
+export function getWebhookLogUrlMetadata(urlString: string): WebhookLogUrlMetadata {
+  try {
+    const parsedUrl = new URL(urlString)
+    return {
+      valid: true,
+      protocol: parsedUrl.protocol.replace(/:$/, ''),
+      hostnameLength: parsedUrl.hostname.length,
+      pathSegmentCount: parsedUrl.pathname.split('/').filter(Boolean).length,
+      hasQuery: parsedUrl.search.length > 0,
+      hasCredentials: Boolean(parsedUrl.username || parsedUrl.password),
+    }
+  }
+  catch {
+    return { valid: false }
+  }
+}
+
 function allowLocalWebhookUrls(c: Context): boolean {
   return getEnv(c, 'CAPGO_ALLOW_LOCAL_WEBHOOK_URLS') === 'true'
 }
@@ -78,8 +158,10 @@ export async function getWebhookPublicUrlValidationError(c: Context, urlString:
  * Build a webhook payload from audit log data
  */
 export function buildWebhookPayload(auditLogData: AuditLogData): WebhookPayload {
+  const eventType = `${auditLogData.table_name}.${auditLogData.operation}`
   return {
-    event: `${auditLogData.table_name}.${auditLogData.operation}`,
+    type: eventType,
+    event: eventType,
     event_id: crypto.randomUUID(),
     timestamp: new Date().toISOString(),
     org_id: auditLogData.org_id,
@@ -127,8 +209,11 @@ export async function createDeliveryRecord(
   orgId: string,
   auditLogId: number | null,
   eventType: string,
-  payload: WebhookPayload,
+  payload: WebhookDeliveryPayload,
+  deliveryVersion: WebhookDeliveryVersion = 'legacy',
 ) {
+  const requestPayload = buildWebhookDeliveryPayload(payload, deliveryVersion)
+
   // Note: Using type assertion as webhook_deliveries table types are not yet generated
   const { data: delivery, error } = await supabaseAdmin(c)
     .from('webhook_deliveries')
@@ -137,7 +222,8 @@ export async function createDeliveryRecord(
       org_id: orgId,
       audit_log_id: auditLogId,
       event_type: eventType,
-      request_payload: payload as any,
+      request_payload: requestPayload as any,
+      delivery_version: deliveryVersion,
       status: 'pending',
     })
     .select()
@@ -152,7 +238,7 @@ export async function createDeliveryRecord(
 }
 
 /**
- * Generate HMAC-SHA256 signature for webhook payload
+ * Generate the legacy Capgo HMAC-SHA256 signature for webhook payload
  * The signature format is: v1={timestamp}.{hmac}
  * This allows receivers to verify the request came from Capgo
  */
@@ -185,6 +271,168 @@ export async function generateWebhookSignature(
   return `v1=${timestamp}.${hexSignature}`
 }
 
+function base64Encode(bytes: ArrayBuffer): string {
+  const byteArray = new Uint8Array(bytes)
+  const binary = Array.from(byteArray, byte => String.fromCodePoint(byte)).join('')
+  return btoa(binary)
+}
+
+function bytesToArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  const copy = new Uint8Array(bytes.byteLength)
+  copy.set(bytes)
+  return copy.buffer
+}
+
+function decodeSerializedWebhookSecret(secret: string): ArrayBuffer {
+  const encoder = new TextEncoder()
+  if (!secret.startsWith('whsec_'))
+    return bytesToArrayBuffer(encoder.encode(secret))
+
+  try {
+    const decoded = atob(secret.slice('whsec_'.length))
+    const bytes = new Uint8Array(decoded.length)
+    for (let i = 0; i < decoded.length; i++)
+      bytes[i] = decoded.codePointAt(i) ?? 0
+
+    // Standard Webhooks symmetric keys are 24-64 random bytes. Existing Capgo
+    // whsec hex strings decode to 24 bytes, so they can verify through standard
+    // libraries without rotating customer secrets.
+    if (bytes.length >= 24 && bytes.length <= 64)
+      return bytesToArrayBuffer(bytes)
+  }
+  catch {
+    // Fall through to legacy raw-text signing for malformed historical secrets.
+  }
+
+  return bytesToArrayBuffer(encoder.encode(secret))
+}
+
+/**
+ * Generate a Standard Webhooks HMAC-SHA256 signature.
+ * The signed content is webhook-id.webhook-timestamp.payload.
+ */
+export async function generateStandardWebhookSignature(
+  secret: string,
+  messageId: string,
+  timestamp: string,
+  payload: string,
+): Promise<string> {
+  const signaturePayload = `${messageId}.${timestamp}.${payload}`
+  const encoder = new TextEncoder()
+  const key = await crypto.subtle.importKey(
+    'raw',
+    decodeSerializedWebhookSecret(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign'],
+  )
+
+  const signature = await crypto.subtle.sign(
+    'HMAC',
+    key,
+    encoder.encode(signaturePayload),
+  )
+
+  return `v1,${base64Encode(signature)}`
+}
+
+export function parseRetryAfterSeconds(retryAfter: string | null | undefined, now = new Date()): number | null {
+  if (!retryAfter)
+    return null
+
+  const trimmed = retryAfter.trim()
+  if (!trimmed)
+    return null
+
+  if (/^\d+$/.test(trimmed))
+    return Math.min(Number.parseInt(trimmed, 10), WEBHOOK_MAX_RETRY_AFTER_SECONDS)
+
+  const retryDate = new Date(trimmed)
+  const retryAt = retryDate.getTime()
+  if (Number.isNaN(retryAt))
+    return null
+
+  const seconds = Math.ceil((retryAt - now.getTime()) / 1000)
+  if (seconds <= 0)
+    return null
+
+  return Math.min(seconds, WEBHOOK_MAX_RETRY_AFTER_SECONDS)
+}
+
+function getWebhookRetryRandomValue(): number {
+  const randomBytes = new Uint32Array(1)
+  crypto.getRandomValues(randomBytes)
+  return randomBytes[0] / 0x100000000
+}
+
+export function getWebhookRetryDelaySeconds(
+  attemptCount: number,
+  retryAfter: string | null | undefined,
+  status: number | null | undefined,
+  randomValue = getWebhookRetryRandomValue(),
+): number {
+  const retryIndex = Math.max(0, Math.min(attemptCount - 1, WEBHOOK_RETRY_DELAYS_SECONDS.length - 1))
+  let delaySeconds = WEBHOOK_RETRY_DELAYS_SECONDS[retryIndex]
+
+  if (status && WEBHOOK_RETRY_THROTTLE_STATUSES.has(status))
+    delaySeconds = Math.max(delaySeconds, 5 * 60)
+
+  const retryAfterSeconds = parseRetryAfterSeconds(retryAfter)
+  if (retryAfterSeconds !== null)
+    delaySeconds = Math.max(delaySeconds, retryAfterSeconds)
+
+  const minimumDelaySeconds = delaySeconds
+  const jitterRange = Math.max(1, Math.ceil(delaySeconds * 0.1))
+  const jitter = Math.floor(randomValue * (jitterRange * 2 + 1)) - jitterRange
+
+  return Math.max(
+    minimumDelaySeconds,
+    Math.min(WEBHOOK_MAX_RETRY_AFTER_SECONDS, delaySeconds + jitter),
+  )
+}
+
+async function readWebhookResponsePreview(response: Response, maxBytes: number): Promise<string> {
+  const reader = response.body?.getReader()
+  if (!reader)
+    return ''
+
+  const decoder = new TextDecoder()
+  let preview = ''
+  let receivedBytes = 0
+  let shouldCancel = true
+
+  try {
+    while (receivedBytes < maxBytes) {
+      const { done, value } = await reader.read()
+      if (done) {
+        shouldCancel = false
+        break
+      }
+
+      if (!value)
+        continue
+
+      const remainingBytes = maxBytes - receivedBytes
+      const chunk = value.byteLength > remainingBytes
+        ? value.subarray(0, remainingBytes)
+        : value
+
+      receivedBytes += chunk.byteLength
+      preview += decoder.decode(chunk, { stream: true })
+
+      if (chunk.byteLength < value.byteLength)
+        break
+    }
+
+    preview += decoder.decode()
+    return preview
+  }
+  finally {
+    if (shouldCancel)
+      await reader.cancel().catch(() => undefined)
+  }
+}
+
 /**
  * Deliver a webhook to the user's endpoint
  */
@@ -192,10 +440,12 @@ export async function deliverWebhook(
   c: Context,
   deliveryId: string,
   url: string,
-  payload: WebhookPayload,
+  payload: WebhookDeliveryPayload,
   secret: string,
-): Promise<{ success: boolean, status?: number, body?: string, duration?: number }> {
+  deliveryVersion: WebhookDeliveryVersion = 'legacy',
+): Promise<{ success: boolean, status?: number, body?: string, duration?: number, retryAfter?: string | null }> {
   const startTime = Date.now()
+  const urlInfo = getWebhookLogUrlMetadata(url)
 
   const urlValidationError = await getWebhookPublicUrlValidationError(c, url)
   if (urlValidationError) {
@@ -204,7 +454,7 @@ export async function deliverWebhook(
       requestId: c.get('requestId'),
       message: 'Webhook delivery blocked by URL validation',
       deliveryId,
-      url,
+      urlInfo,
       error: urlValidationError,
       duration,
     })
@@ -216,52 +466,67 @@ export async function deliverWebhook(
     }
   }
 
-  const payloadString = JSON.stringify(payload)
+  const deliveryPayload = buildWebhookDeliveryPayload(payload, deliveryVersion)
+  const payloadString = JSON.stringify(deliveryPayload)
   const timestamp = Math.floor(Date.now() / 1000).toString()
+  const eventId = getWebhookPayloadEventId(deliveryPayload)
+  const event = getWebhookPayloadEvent(deliveryPayload)
 
-  // Generate HMAC signature for verification
-  const signature = await generateWebhookSignature(secret, timestamp, payloadString)
+  const legacySignature = await generateWebhookSignature(secret, timestamp, payloadString)
 
   const headers: Record<string, string> = {
     'Content-Type': 'application/json',
     'User-Agent': 'Capgo-Webhook/1.0',
-    'X-Capgo-Event': payload.event,
-    'X-Capgo-Event-ID': payload.event_id,
+    'X-Capgo-Event': event,
+    'X-Capgo-Event-ID': eventId,
     'X-Capgo-Timestamp': timestamp,
-    'X-Capgo-Signature': signature,
+    'X-Capgo-Signature': legacySignature,
+  }
+
+  if (deliveryVersion === 'standard') {
+    const standardSignature = await generateStandardWebhookSignature(secret, eventId, timestamp, payloadString)
+    headers['webhook-id'] = eventId
+    headers['webhook-timestamp'] = timestamp
+    headers['webhook-signature'] = standardSignature
   }
 
   try {
     const controller = new AbortController()
-    const timeoutId = setTimeout(() => controller.abort(), 10000) // 10s timeout
-
-    const response = await fetch(url, {
-      method: 'POST',
-      headers,
-      body: payloadString,
-      redirect: 'manual',
-      signal: controller.signal,
-    })
+    const timeoutId = setTimeout(() => controller.abort(), WEBHOOK_DELIVERY_TIMEOUT_MS)
 
-    clearTimeout(timeoutId)
-    const duration = Date.now() - startTime
-    const responseBody = await response.text()
-
-    cloudlog({
-      requestId: c.get('requestId'),
-      message: 'Webhook delivery attempt',
-      deliveryId,
-      url,
-      status: response.status,
-      success: response.ok,
-      duration,
-    })
-
-    return {
-      success: response.ok,
-      status: response.status,
-      body: responseBody.slice(0, 10000), // Limit stored body size
-      duration,
+    try {
+      const response = await fetch(url, {
+        method: 'POST',
+        headers,
+        body: payloadString,
+        redirect: 'manual',
+        signal: controller.signal,
+      })
+
+      const responseBody = await readWebhookResponsePreview(response, WEBHOOK_RESPONSE_BODY_LIMIT_BYTES)
+      const duration = Date.now() - startTime
+      const retryAfter = response.headers.get('retry-after')
+
+      cloudlog({
+        requestId: c.get('requestId'),
+        message: 'Webhook delivery attempt',
+        deliveryId,
+        urlInfo,
+        status: response.status,
+        success: response.ok,
+        duration,
+      })
+
+      return {
+        success: response.ok,
+        status: response.status,
+        body: responseBody,
+        duration,
+        retryAfter,
+      }
+    }
+    finally {
+      clearTimeout(timeoutId)
     }
   }
   catch (error) {
@@ -272,7 +537,7 @@ export async function deliverWebhook(
       requestId: c.get('requestId'),
       message: 'Webhook delivery failed',
       deliveryId,
-      url,
+      urlInfo,
       error: errorMessage,
       duration,
     })
@@ -347,10 +612,10 @@ export async function scheduleRetry(
   c: Context,
   deliveryId: string,
   attemptCount: number,
-): Promise<void> {
-  // Exponential backoff: 2min, 4min, 8min
-  const retryDelaySeconds = 2 ** attemptCount * 60
-
+  retryAfter?: string | null,
+  responseStatus?: number | null,
+): Promise<number> {
+  const retryDelaySeconds = getWebhookRetryDelaySeconds(attemptCount, retryAfter, responseStatus)
   const nextRetryAt = new Date(Date.now() + retryDelaySeconds * 1000).toISOString()
 
   const { error } = await supabaseAdmin(c)
@@ -372,6 +637,33 @@ export async function scheduleRetry(
     attemptCount,
     nextRetryAt,
     retryDelaySeconds,
+    responseStatus,
+  })
+
+  return retryDelaySeconds
+}
+
+/**
+ * Disable a webhook endpoint after an explicit receiver opt-out.
+ */
+export async function disableWebhook(
+  c: Context,
+  webhookId: string,
+): Promise<void> {
+  const { error } = await supabaseAdmin(c)
+    .from('webhooks')
+    .update({ enabled: false })
+    .eq('id', webhookId)
+
+  if (error) {
+    cloudlogErr({ requestId: c.get('requestId'), message: 'Error disabling webhook', error: serializeError(error) })
+    return
+  }
+
+  cloudlog({
+    requestId: c.get('requestId'),
+    message: 'Disabled webhook endpoint',
+    webhookId,
   })
 }
 
@@ -442,6 +734,7 @@ export async function getDeliveryById(
  */
 export function createTestPayload(orgId: string): WebhookPayload {
   return {
+    type: 'test.ping',
     event: 'test.ping',
     event_id: crypto.randomUUID(),
     timestamp: new Date().toISOString(),
@@ -468,7 +761,7 @@ export async function queueWebhookDelivery(
   deliveryId: string,
   webhookId: string,
   url: string,
-  payload: WebhookPayload,
+  payload: WebhookDeliveryPayload,
 ): Promise<void> {
   const message = {
     function_name: 'webhook_delivery',
@@ -510,7 +803,7 @@ export async function queueWebhookDeliveryWithDelay(
   deliveryId: string,
   webhookId: string,
   url: string,
-  payload: WebhookPayload,
+  payload: WebhookDeliveryPayload,
   delaySeconds: number,
 ): Promise<void> {
   const message = {
diff --git a/supabase/migrations/20260512080234_standard_webhook_secrets.sql b/supabase/migrations/20260512080234_standard_webhook_secrets.sql
new file mode 100644
index 0000000000..c8b742658e
--- /dev/null
+++ b/supabase/migrations/20260512080234_standard_webhook_secrets.sql
@@ -0,0 +1,170 @@
+-- Standard Webhooks compatibility and API-only table access.
+
+ALTER TABLE public.webhooks
+ALTER COLUMN secret SET DEFAULT (
+    'whsec_'::text || encode(extensions.gen_random_bytes(32), 'base64')
+);
+
+COMMENT ON COLUMN public.webhooks.secret IS
+'Standard Webhooks HMAC-SHA256 secret in whsec_ base64 format.';
+
+ALTER TABLE public.webhooks
+ADD COLUMN IF NOT EXISTS delivery_version text NOT NULL DEFAULT 'legacy';
+
+ALTER TABLE public.webhooks
+DROP CONSTRAINT IF EXISTS webhooks_delivery_version_check;
+
+ALTER TABLE public.webhooks
+ADD CONSTRAINT webhooks_delivery_version_check
+CHECK (delivery_version IN ('legacy', 'standard'));
+
+COMMENT ON COLUMN public.webhooks.delivery_version IS
+'Webhook delivery format version. legacy preserves existing Capgo payloads; standard uses Standard Webhooks payload and headers.';
+
+ALTER TABLE public.webhook_deliveries
+ADD COLUMN IF NOT EXISTS delivery_version text NOT NULL DEFAULT 'legacy';
+
+ALTER TABLE public.webhook_deliveries
+DROP CONSTRAINT IF EXISTS webhook_deliveries_delivery_version_check;
+
+ALTER TABLE public.webhook_deliveries
+ADD CONSTRAINT webhook_deliveries_delivery_version_check
+CHECK (delivery_version IN ('legacy', 'standard'));
+
+COMMENT ON COLUMN public.webhook_deliveries.delivery_version IS
+'Delivery format version used for this webhook attempt.';
+
+ALTER TABLE public.webhook_deliveries
+ALTER COLUMN max_attempts SET DEFAULT 10;
+
+UPDATE public.webhook_deliveries
+SET max_attempts = 10
+WHERE status = 'pending'
+  AND (max_attempts IS NULL OR max_attempts < 10);
+
+-- Webhook secrets and delivery payloads must be accessed only through the API.
+-- Service-role jobs keep access for dispatch, delivery, and API handlers.
+REVOKE ALL ON TABLE public.webhooks FROM anon;
+REVOKE ALL ON TABLE public.webhooks FROM authenticated;
+REVOKE ALL ON TABLE public.webhooks FROM public;
+GRANT ALL ON TABLE public.webhooks TO service_role;
+
+REVOKE ALL ON TABLE public.webhook_deliveries FROM anon;
+REVOKE ALL ON TABLE public.webhook_deliveries FROM authenticated;
+REVOKE ALL ON TABLE public.webhook_deliveries FROM public;
+GRANT ALL ON TABLE public.webhook_deliveries TO service_role;
+
+DROP POLICY IF EXISTS "Allow org members to select webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Allow admin to select webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Allow admin to insert webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Allow admin to update webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Allow admin to delete webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Deny direct select on webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Deny direct insert on webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Deny direct update on webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS "Deny direct delete on webhooks" -- noqa: RF05
+ON public.webhooks;
+DROP POLICY IF EXISTS deny_direct_select_on_webhooks ON public.webhooks;
+DROP POLICY IF EXISTS deny_direct_insert_on_webhooks ON public.webhooks;
+DROP POLICY IF EXISTS deny_direct_update_on_webhooks ON public.webhooks;
+DROP POLICY IF EXISTS deny_direct_delete_on_webhooks ON public.webhooks;
+
+CREATE POLICY deny_direct_select_on_webhooks
+ON public.webhooks
+AS RESTRICTIVE
+FOR SELECT
+TO anon, authenticated
+USING (false);
+
+CREATE POLICY deny_direct_insert_on_webhooks
+ON public.webhooks
+AS RESTRICTIVE
+FOR INSERT
+TO anon, authenticated
+WITH CHECK (false);
+
+CREATE POLICY deny_direct_update_on_webhooks
+ON public.webhooks
+AS RESTRICTIVE
+FOR UPDATE
+TO anon, authenticated
+USING (false)
+WITH CHECK (false);
+
+CREATE POLICY deny_direct_delete_on_webhooks
+ON public.webhooks
+AS RESTRICTIVE
+FOR DELETE
+TO anon, authenticated
+USING (false);
+
+DROP POLICY IF EXISTS
+"Allow org members to select webhook_deliveries" -- noqa: RF05
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+"Allow admin to insert webhook_deliveries" -- noqa: RF05
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+"Allow admin to update webhook_deliveries" -- noqa: RF05
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+"Deny direct select on webhook_deliveries" -- noqa: RF05
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+"Deny direct insert on webhook_deliveries" -- noqa: RF05
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+"Deny direct update on webhook_deliveries" -- noqa: RF05
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+"Deny direct delete on webhook_deliveries" -- noqa: RF05
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+deny_direct_select_on_webhook_deliveries
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+deny_direct_insert_on_webhook_deliveries
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+deny_direct_update_on_webhook_deliveries
+ON public.webhook_deliveries;
+DROP POLICY IF EXISTS
+deny_direct_delete_on_webhook_deliveries
+ON public.webhook_deliveries;
+
+CREATE POLICY deny_direct_select_on_webhook_deliveries
+ON public.webhook_deliveries
+AS RESTRICTIVE
+FOR SELECT
+TO anon, authenticated
+USING (false);
+
+CREATE POLICY deny_direct_insert_on_webhook_deliveries
+ON public.webhook_deliveries
+AS RESTRICTIVE
+FOR INSERT
+TO anon, authenticated
+WITH CHECK (false);
+
+CREATE POLICY deny_direct_update_on_webhook_deliveries
+ON public.webhook_deliveries
+AS RESTRICTIVE
+FOR UPDATE
+TO anon, authenticated
+USING (false)
+WITH CHECK (false);
+
+CREATE POLICY deny_direct_delete_on_webhook_deliveries
+ON public.webhook_deliveries
+AS RESTRICTIVE
+FOR DELETE
+TO anon, authenticated
+USING (false);
diff --git a/tests/hashed-apikey-rls.test.ts b/tests/hashed-apikey-rls.test.ts
index 27c18bfd37..d39f50b5ba 100644
--- a/tests/hashed-apikey-rls.test.ts
+++ b/tests/hashed-apikey-rls.test.ts
@@ -1209,37 +1209,38 @@ describe('webhook and webhook_delivery rls with api-key org scope precedence', (
     await deleteApiKey(scopedKey.id)
   })
 
-  it('uses API key org scope when auth context is also present for webhook reads', async () => {
-    const webhookRows = await execWithRoleClaims(
-      'SELECT id FROM public.webhooks WHERE id = $1',
-      {
-        role: 'authenticated',
-        claims: {
-          sub: USER_ID_RLS,
+  it('denies direct webhook reads even when API key scope matches', async () => {
+    await expect(
+      execWithRoleClaims(
+        'SELECT id FROM public.webhooks WHERE id = $1',
+        {
           role: 'authenticated',
-          aud: 'authenticated',
+          claims: {
+            sub: USER_ID_RLS,
+            role: 'authenticated',
+            aud: 'authenticated',
+          },
+          headers: { capgkey: scopedKey.key },
+          params: [webhookId],
         },
-        headers: { capgkey: limitedKey.key },
-        params: [webhookId],
-      },
-    ).then(result => result.rows)
+      ),
+    ).rejects.toMatchObject({ code: '42501' })
 
-    const deliveryRows = await execWithRoleClaims(
-      'SELECT id FROM public.webhook_deliveries WHERE id = $1',
-      {
-        role: 'authenticated',
-        claims: {
-          sub: USER_ID_RLS,
+    await expect(
+      execWithRoleClaims(
+        'SELECT id FROM public.webhook_deliveries WHERE id = $1',
+        {
           role: 'authenticated',
-          aud: 'authenticated',
+          claims: {
+            sub: USER_ID_RLS,
+            role: 'authenticated',
+            aud: 'authenticated',
+          },
+          headers: { capgkey: scopedKey.key },
+          params: [deliveryId],
         },
-        headers: { capgkey: limitedKey.key },
-        params: [deliveryId],
-      },
-    ).then(result => result.rows)
-
-    expect(webhookRows).toEqual([])
-    expect(deliveryRows).toEqual([])
+      ),
+    ).rejects.toMatchObject({ code: '42501' })
   })
 
   it('prevents webhook_delivery org_id changes when update payload org_id is unauthorized', async () => {
diff --git a/tests/webhook-delivery-redirect.unit.test.ts b/tests/webhook-delivery-redirect.unit.test.ts
index 3aa4c77775..95c6c84869 100644
--- a/tests/webhook-delivery-redirect.unit.test.ts
+++ b/tests/webhook-delivery-redirect.unit.test.ts
@@ -20,6 +20,7 @@ const { deliverWebhook } = await import('../supabase/functions/_backend/utils/we
 
 describe('webhook delivery redirect handling', () => {
   const payload = {
+    type: 'app_versions.INSERT',
     event: 'app_versions.INSERT',
     event_id: 'event-123',
     timestamp: '2026-03-16T00:00:00.000Z',
@@ -63,6 +64,7 @@ describe('webhook delivery redirect handling', () => {
       'https://example.com/webhook',
       payload,
       'whsec_test_secret',
+      'standard',
     )
 
     const webhookCalls = fetchMock.mock.calls.filter(([url]) => url === 'https://example.com/webhook')
diff --git a/tests/webhook-delivery-security.unit.test.ts b/tests/webhook-delivery-security.unit.test.ts
index 4f698dedf2..e63c2d57d0 100644
--- a/tests/webhook-delivery-security.unit.test.ts
+++ b/tests/webhook-delivery-security.unit.test.ts
@@ -43,6 +43,7 @@ describe('webhook delivery redirect handling', () => {
       'delivery-1',
       'https://example.com/webhook',
       {
+        type: 'app_versions.INSERT',
         event: 'app_versions.INSERT',
         event_id: 'event-1',
         timestamp: new Date().toISOString(),
@@ -57,6 +58,7 @@ describe('webhook delivery redirect handling', () => {
         },
       },
       'secret',
+      'standard',
     )
 
     expect(result.success).toBe(true)
@@ -66,6 +68,51 @@ describe('webhook delivery redirect handling', () => {
       method: 'POST',
       redirect: 'manual',
     })
+    expect((webhookCalls[0]?.[1]?.headers as Record<string, string>)['webhook-id']).toBe('event-1')
+    expect((webhookCalls[0]?.[1]?.headers as Record<string, string>)['webhook-timestamp']).toMatch(/^\d+$/)
+    expect((webhookCalls[0]?.[1]?.headers as Record<string, string>)['webhook-signature']).toMatch(/^v1,[A-Za-z0-9+/]+={0,2}$/)
+    expect((webhookCalls[0]?.[1]?.headers as Record<string, string>)['X-Capgo-Signature']).toMatch(/^v1=\d+\.[a-f0-9]{64}$/)
+  })
+
+  it('uses the legacy payload and headers by default', async () => {
+    mockGetEnv.mockReturnValue('')
+    const fetchMock = vi.fn().mockImplementation(async () => new Response('ok', { status: 200 }))
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { deliverWebhook } = await import('../supabase/functions/_backend/utils/webhook.ts')
+    const result = await deliverWebhook(
+      createContext(),
+      'delivery-legacy',
+      'https://example.com/webhook',
+      {
+        type: 'app_versions.INSERT',
+        event: 'app_versions.INSERT',
+        event_id: 'event-legacy',
+        timestamp: new Date().toISOString(),
+        org_id: 'org-1',
+        data: {
+          table: 'app_versions',
+          operation: 'INSERT',
+          record_id: 'record-legacy',
+          old_record: null,
+          new_record: null,
+          changed_fields: null,
+        },
+      },
+      'secret',
+    )
+
+    expect(result.success).toBe(true)
+    const webhookCalls = fetchMock.mock.calls.filter(([url]) => url === 'https://example.com/webhook')
+    expect(webhookCalls).toHaveLength(1)
+    const headers = webhookCalls[0]?.[1]?.headers as Record<string, string>
+    const body = JSON.parse(webhookCalls[0]?.[1]?.body as string) as Record<string, unknown>
+    expect(headers['webhook-id']).toBeUndefined()
+    expect(headers['webhook-signature']).toBeUndefined()
+    expect(headers['X-Capgo-Event-ID']).toBe('event-legacy')
+    expect(headers['X-Capgo-Signature']).toMatch(/^v1=\d+\.[a-f0-9]{64}$/)
+    expect(body.type).toBeUndefined()
+    expect(body.event).toBe('app_versions.INSERT')
   })
 
   it('does not treat redirect responses as successful deliveries', async () => {
@@ -84,6 +131,7 @@ describe('webhook delivery redirect handling', () => {
       'delivery-2',
       'https://example.com/webhook',
       {
+        type: 'app_versions.INSERT',
         event: 'app_versions.INSERT',
         event_id: 'event-2',
         timestamp: new Date().toISOString(),
@@ -98,6 +146,7 @@ describe('webhook delivery redirect handling', () => {
         },
       },
       'secret',
+      'standard',
     )
 
     expect(result.success).toBe(false)
@@ -106,6 +155,157 @@ describe('webhook delivery redirect handling', () => {
     expect(webhookCalls).toHaveLength(1)
   })
 
+  it('caps response bodies while reading webhook delivery previews', async () => {
+    mockGetEnv.mockReturnValue('')
+    let streamCancelled = false
+    const oversizedChunk = new Uint8Array(12000).fill('a'.charCodeAt(0))
+    const responseBody = new ReadableStream<Uint8Array>({
+      start(controller) {
+        controller.enqueue(oversizedChunk)
+      },
+      cancel() {
+        streamCancelled = true
+      },
+    })
+    const fetchMock = vi.fn().mockResolvedValue(new Response(responseBody, { status: 500 }))
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { deliverWebhook } = await import('../supabase/functions/_backend/utils/webhook.ts')
+    const result = await deliverWebhook(
+      createContext(),
+      'delivery-large-body',
+      'https://example.com/webhook',
+      {
+        type: 'app_versions.INSERT',
+        event: 'app_versions.INSERT',
+        event_id: 'event-large-body',
+        timestamp: new Date().toISOString(),
+        org_id: 'org-1',
+        data: {
+          table: 'app_versions',
+          operation: 'INSERT',
+          record_id: 'record-large-body',
+          old_record: null,
+          new_record: null,
+          changed_fields: null,
+        },
+      },
+      'secret',
+      'standard',
+    )
+
+    expect(result.success).toBe(false)
+    expect(result.body).toHaveLength(10000)
+    expect(streamCancelled).toBe(true)
+  })
+
+  it('does not log raw webhook URLs or query secrets', async () => {
+    mockGetEnv.mockReturnValue('')
+    const fetchMock = vi.fn(async (input: string | URL | Request) => {
+      const urlString = String(input)
+      const url = new URL(urlString)
+
+      if (url.hostname === 'cloudflare-dns.com') {
+        return new Response(JSON.stringify({
+          Answer: [{ data: '93.184.216.34' }],
+        }))
+      }
+
+      return new Response('ok', { status: 200 })
+    })
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { deliverWebhook } = await import('../supabase/functions/_backend/utils/webhook.ts')
+    const result = await deliverWebhook(
+      createContext(),
+      'delivery-sensitive-url',
+      'https://example.com/hooks/capgo?token=secret-token',
+      {
+        type: 'app_versions.INSERT',
+        event: 'app_versions.INSERT',
+        event_id: 'event-sensitive-url',
+        timestamp: new Date().toISOString(),
+        org_id: 'org-1',
+        data: {
+          table: 'app_versions',
+          operation: 'INSERT',
+          record_id: 'record-sensitive-url',
+          old_record: null,
+          new_record: null,
+          changed_fields: null,
+        },
+      },
+      'secret',
+      'standard',
+    )
+
+    expect(result.success).toBe(true)
+    const deliveryLog = mockCloudlog.mock.calls
+      .map(([entry]) => entry)
+      .find(entry => entry.message === 'Webhook delivery attempt')
+
+    expect(deliveryLog).toMatchObject({
+      urlInfo: {
+        valid: true,
+        protocol: 'https',
+        hostnameLength: 'example.com'.length,
+        pathSegmentCount: 2,
+        hasQuery: true,
+        hasCredentials: false,
+      },
+    })
+    expect(deliveryLog).not.toHaveProperty('url')
+    expect(JSON.stringify(deliveryLog)).not.toContain('secret-token')
+  })
+
+  it('does not log raw webhook URLs when delivery fails before a response', async () => {
+    mockGetEnv.mockReturnValue('')
+    const fetchMock = vi.fn().mockRejectedValue(new Error('receiver unavailable'))
+    vi.stubGlobal('fetch', fetchMock)
+
+    const { deliverWebhook } = await import('../supabase/functions/_backend/utils/webhook.ts')
+    const result = await deliverWebhook(
+      createContext(),
+      'delivery-sensitive-failure',
+      'https://example.com/hooks/capgo?token=secret-token',
+      {
+        type: 'app_versions.INSERT',
+        event: 'app_versions.INSERT',
+        event_id: 'event-sensitive-failure',
+        timestamp: new Date().toISOString(),
+        org_id: 'org-1',
+        data: {
+          table: 'app_versions',
+          operation: 'INSERT',
+          record_id: 'record-sensitive-failure',
+          old_record: null,
+          new_record: null,
+          changed_fields: null,
+        },
+      },
+      'secret',
+      'standard',
+    )
+
+    expect(result.success).toBe(false)
+    const deliveryLog = mockCloudlogErr.mock.calls
+      .map(([entry]) => entry)
+      .find(entry => entry.message === 'Webhook delivery failed')
+
+    expect(deliveryLog).toMatchObject({
+      urlInfo: {
+        valid: true,
+        protocol: 'https',
+        hostnameLength: 'example.com'.length,
+        pathSegmentCount: 2,
+        hasQuery: true,
+        hasCredentials: false,
+      },
+    })
+    expect(deliveryLog).not.toHaveProperty('url')
+    expect(JSON.stringify(deliveryLog)).not.toContain('secret-token')
+  })
+
   it('blocks webhook hosts that resolve to private addresses before delivery', async () => {
     mockGetEnv.mockReturnValue('')
     const fetchMock = vi.fn(async (input: string | URL | Request) => {
@@ -127,8 +327,9 @@ describe('webhook delivery redirect handling', () => {
     const result = await deliverWebhook(
       createContext(),
       'delivery-3',
-      'https://private.example/webhook',
+      'https://private.example/webhook?token=secret-token',
       {
+        type: 'app_versions.INSERT',
         event: 'app_versions.INSERT',
         event_id: 'event-3',
         timestamp: new Date().toISOString(),
@@ -143,12 +344,39 @@ describe('webhook delivery redirect handling', () => {
         },
       },
       'secret',
+      'standard',
     )
 
     expect(result).toMatchObject({
       success: false,
       body: 'Error: Webhook URL must point to a public host',
     })
-    expect(fetchMock.mock.calls.some(([url]) => url === 'https://private.example/webhook')).toBe(false)
+    expect(fetchMock.mock.calls.some(([url]) => String(url).startsWith('https://private.example/'))).toBe(false)
+    const blockedLog = mockCloudlogErr.mock.calls
+      .map(([entry]) => entry)
+      .find(entry => entry.message === 'Webhook delivery blocked by URL validation')
+    expect(blockedLog).not.toHaveProperty('url')
+    expect(JSON.stringify(blockedLog)).not.toContain('secret-token')
+  })
+})
+
+describe('webhook retry scheduling', () => {
+  it('uses the multi-day retry schedule with deterministic jitter', async () => {
+    const { getWebhookRetryDelaySeconds } = await import('../supabase/functions/_backend/utils/webhook.ts')
+
+    expect(getWebhookRetryDelaySeconds(1, null, 500, 0.5)).toBe(5)
+    expect(getWebhookRetryDelaySeconds(2, null, 500, 0.5)).toBe(5 * 60)
+    expect(getWebhookRetryDelaySeconds(3, null, 500, 0.5)).toBe(30 * 60)
+    expect(getWebhookRetryDelaySeconds(9, null, 500, 0.5)).toBe(24 * 60 * 60)
+  })
+
+  it('honors retry-after and throttles rate-limit responses', async () => {
+    const { getWebhookRetryDelaySeconds, parseRetryAfterSeconds } = await import('../supabase/functions/_backend/utils/webhook.ts')
+
+    expect(parseRetryAfterSeconds('120')).toBe(120)
+    expect(getWebhookRetryDelaySeconds(1, '600', 429, 0.5)).toBe(600)
+    expect(getWebhookRetryDelaySeconds(1, null, 429, 0.5)).toBe(5 * 60)
+    expect(getWebhookRetryDelaySeconds(1, '600', 429, 0)).toBe(600)
+    expect(getWebhookRetryDelaySeconds(1, null, 429, 0)).toBe(5 * 60)
   })
 })
diff --git a/tests/webhook-queue-processing.test.ts b/tests/webhook-queue-processing.test.ts
index 4d59eacd7b..7e5e4e95b9 100644
--- a/tests/webhook-queue-processing.test.ts
+++ b/tests/webhook-queue-processing.test.ts
@@ -104,7 +104,7 @@ async function waitForWebhookDeliveryQueueMessage(deliveryId: string, timeoutMs
   throw new Error(`Timed out waiting for webhook_delivery queue message for delivery ${deliveryId}`)
 }
 
-async function waitForDeliveryCompletion(deliveryId: string, timeoutMs = 15000) {
+async function waitForDeliveryAttempt(deliveryId: string, timeoutMs = 15000) {
   const start = Date.now()
   let lastState: Record<string, unknown> | null = null
 
@@ -120,13 +120,13 @@ async function waitForDeliveryCompletion(deliveryId: string, timeoutMs = 15000)
 
     lastState = data
 
-    if (data?.status && data.status !== 'pending')
+    if ((data?.attempt_count ?? 0) > 0 && data?.response_status !== null)
       return data
 
     await new Promise(resolve => setTimeout(resolve, 250))
   }
 
-  throw new Error(`Timed out waiting for delivery ${deliveryId} to complete: ${JSON.stringify(lastState)}`)
+  throw new Error(`Timed out waiting for delivery ${deliveryId} to be attempted: ${JSON.stringify(lastState)}`)
 }
 
 describe('webhook queue processing', () => {
@@ -182,7 +182,7 @@ describe('webhook queue processing', () => {
     await pool.end()
   })
 
-  it('dispatches and delivers webhook queue messages end to end', { timeout: 30000 }, async () => {
+  it.concurrent('dispatches and delivers webhook queue messages end to end', { timeout: 30000 }, async () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in setup')
 
@@ -213,10 +213,12 @@ describe('webhook queue processing', () => {
     expect(createdDelivery.event_type).toBe('apps.UPDATE')
     expect(createdDelivery.status).toBe('pending')
     await fetchQueueSync('webhook_delivery')
-    const completedDelivery = await waitForDeliveryCompletion(createdDelivery.id)
+    const attemptedDelivery = await waitForDeliveryAttempt(createdDelivery.id)
 
-    expect(completedDelivery.status).toBe('failed')
-    expect(completedDelivery.attempt_count).toBe(1)
-    expect(completedDelivery.response_body).toBeTruthy()
+    expect(attemptedDelivery.status).toBe('pending')
+    expect(attemptedDelivery.attempt_count).toBe(1)
+    expect(attemptedDelivery.response_status).toBe(405)
+    expect(attemptedDelivery.next_retry_at).toBeTruthy()
+    expect(attemptedDelivery.response_body).toBeTruthy()
   })
 })
diff --git a/tests/webhook-signature.test.ts b/tests/webhook-signature.test.ts
index 45e740b18b..9351f7abe3 100644
--- a/tests/webhook-signature.test.ts
+++ b/tests/webhook-signature.test.ts
@@ -1,5 +1,7 @@
-import { createHmac, randomUUID } from 'node:crypto'
+import { Buffer } from 'node:buffer'
+import { createHmac, randomUUID, timingSafeEqual } from 'node:crypto'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
+import { generateStandardWebhookSignature, generateWebhookSignature } from '../supabase/functions/_backend/utils/webhook.ts'
 import { BASE_URL, getSupabaseClient, headers, TEST_EMAIL, USER_ID } from './test-utils.ts'
 
 // Test data
@@ -10,75 +12,50 @@ let createdWebhookId: string | null = null
 let webhookSecret: string | null = null
 
 /**
- * Generate webhook signature using the same algorithm as the backend
- * This mirrors the implementation in supabase/functions/_backend/utils/webhook.ts
+ * Verify Standard Webhooks signature using Node.js crypto.
  */
-async function generateWebhookSignature(
+function verifyStandardWebhookSignature(
+  signature: string,
   secret: string,
+  messageId: string,
   timestamp: string,
-  payload: string,
-): Promise<string> {
-  const signaturePayload = `${timestamp}.${payload}`
-
-  const encoder = new TextEncoder()
-  const key = await crypto.subtle.importKey(
-    'raw',
-    encoder.encode(secret),
-    { name: 'HMAC', hash: 'SHA-256' },
-    false,
-    ['sign'],
-  )
+  body: string,
+): { valid: boolean, error?: string } {
+  const signatures = signature.split(' ')
+  const secretBytes = secret.startsWith('whsec_')
+    ? Buffer.from(secret.slice('whsec_'.length), 'base64')
+    : Buffer.from(secret)
+  const signaturePayload = `${messageId}.${timestamp}.${body}`
+  const expectedSignature = `v1,${createHmac('sha256', secretBytes)
+    .update(signaturePayload)
+    .digest('base64')}`
 
-  const signature = await crypto.subtle.sign(
-    'HMAC',
-    key,
-    encoder.encode(signaturePayload),
+  const valid = signatures.some(candidate =>
+    candidate.length === expectedSignature.length
+    && timingSafeEqual(Buffer.from(candidate), Buffer.from(expectedSignature)),
   )
 
-  const hexSignature = Array.from(new Uint8Array(signature))
-    .map(b => b.toString(16).padStart(2, '0'))
-    .join('')
-
-  return `v1=${timestamp}.${hexSignature}`
+  return valid ? { valid: true } : { valid: false, error: 'HMAC verification failed' }
 }
 
-/**
- * Verify webhook signature using Node.js crypto (what a receiver would use)
- */
-function verifyWebhookSignature(
+function verifyLegacyWebhookSignature(
   signature: string,
   secret: string,
   body: string,
 ): { valid: boolean, timestamp: string | null, error?: string } {
-  // Parse signature format: v1={timestamp}.{hmac}
   const match = signature.match(/^v1=(\d+)\.([a-f0-9]+)$/i)
-  if (!match) {
+  if (!match)
     return { valid: false, timestamp: null, error: 'Invalid signature format' }
-  }
 
   const [, timestamp, receivedHmac] = match
-
-  // Compute expected HMAC using Node.js crypto
-  const signaturePayload = `${timestamp}.${body}`
   const expectedHmac = createHmac('sha256', secret)
-    .update(signaturePayload)
+    .update(`${timestamp}.${body}`)
     .digest('hex')
 
-  // Constant-time comparison
-  if (expectedHmac.length !== receivedHmac.length) {
-    return { valid: false, timestamp, error: 'HMAC length mismatch' }
-  }
-
-  let result = 0
-  for (let i = 0; i < expectedHmac.length; i++) {
-    result |= expectedHmac.charCodeAt(i) ^ receivedHmac.charCodeAt(i)
-  }
-
-  if (result !== 0) {
-    return { valid: false, timestamp, error: 'HMAC verification failed' }
-  }
+  const valid = expectedHmac.length === receivedHmac.length
+    && timingSafeEqual(Buffer.from(expectedHmac), Buffer.from(receivedHmac))
 
-  return { valid: true, timestamp }
+  return valid ? { valid: true, timestamp } : { valid: false, timestamp, error: 'HMAC verification failed' }
 }
 
 beforeAll(async () => {
@@ -118,11 +95,13 @@ afterAll(async () => {
 })
 
 describe('webhook signature algorithm', () => {
-  const testSecret = 'whsec_test_secret_key_12345'
+  const testSecret = `whsec_${Buffer.from('12345678901234567890123456789012').toString('base64')}`
+  const messageId = '123e4567-e89b-12d3-a456-426614174000'
   const testTimestamp = '1704067200'
   const testPayload = JSON.stringify({
+    type: 'app_versions.INSERT',
     event: 'app_versions.INSERT',
-    event_id: '123e4567-e89b-12d3-a456-426614174000',
+    event_id: messageId,
     timestamp: '2024-01-01T00:00:00.000Z',
     org_id: 'org-123',
     data: {
@@ -135,104 +114,116 @@ describe('webhook signature algorithm', () => {
     },
   })
 
-  it('should generate signature in correct format v1={timestamp}.{hmac}', async () => {
-    const signature = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    expect(signature).toMatch(/^v1=\d+\.[a-f0-9]{64}$/i)
+  it('should generate Standard Webhooks signature format v1,{base64}', async () => {
+    const signature = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    expect(signature).toMatch(/^v1,[A-Za-z0-9+/]+={0,2}$/)
   })
 
-  it('should include timestamp in signature', async () => {
-    const signature = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    expect(signature).toContain(`v1=${testTimestamp}.`)
+  it('should produce consistent Standard Webhooks signatures for same inputs', async () => {
+    const sig1 = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const sig2 = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    expect(sig1).toBe(sig2)
   })
 
-  it('should generate 64-char hex HMAC (SHA-256)', async () => {
-    const signature = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const hmac = signature.split('.')[1]
-    expect(hmac.length).toBe(64)
+  it('should produce different Standard Webhooks signatures for different message ids', async () => {
+    const sig1 = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const sig2 = await generateStandardWebhookSignature(testSecret, 'different-message-id', testTimestamp, testPayload)
+    expect(sig1).not.toBe(sig2)
   })
 
-  it('should produce consistent signatures for same inputs', async () => {
-    const sig1 = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const sig2 = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    expect(sig1).toBe(sig2)
+  it('should produce different Standard Webhooks signatures for different secrets', async () => {
+    const sig1 = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const sig2 = await generateStandardWebhookSignature(`whsec_${Buffer.from('abcdefabcdefabcdefabcdefabcdef12').toString('base64')}`, messageId, testTimestamp, testPayload)
+    expect(sig1).not.toBe(sig2)
   })
 
-  it('should produce different signatures for different secrets', async () => {
-    const sig1 = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const sig2 = await generateWebhookSignature('different_secret', testTimestamp, testPayload)
+  it('should produce different Standard Webhooks signatures for different timestamps', async () => {
+    const sig1 = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const sig2 = await generateStandardWebhookSignature(testSecret, messageId, '1704153600', testPayload)
     expect(sig1).not.toBe(sig2)
   })
 
-  it('should produce different signatures for different timestamps', async () => {
-    const sig1 = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const sig2 = await generateWebhookSignature(testSecret, '1704153600', testPayload)
+  it('should produce different Standard Webhooks signatures for different payloads', async () => {
+    const sig1 = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const sig2 = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, '{"different":"payload"}')
     expect(sig1).not.toBe(sig2)
   })
 
-  it('should produce different signatures for different payloads', async () => {
-    const sig1 = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const sig2 = await generateWebhookSignature(testSecret, testTimestamp, '{"different":"payload"}')
-    expect(sig1).not.toBe(sig2)
+  it('should match Node.js crypto Standard Webhooks HMAC generation', async () => {
+    const signature = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const [, hmac] = signature.split(',')
+    const expectedHmac = createHmac('sha256', Buffer.from(testSecret.slice('whsec_'.length), 'base64'))
+      .update(`${messageId}.${testTimestamp}.${testPayload}`)
+      .digest('base64')
+
+    expect(hmac).toBe(expectedHmac)
   })
 
-  it('should match Node.js crypto HMAC generation', async () => {
+  it('should keep generating the legacy Capgo signature format', async () => {
     const signature = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
     const [, timestampAndHmac] = signature.split('=')
     const [, hmac] = timestampAndHmac.split('.')
-
-    // Generate with Node.js crypto
-    const signaturePayload = `${testTimestamp}.${testPayload}`
     const expectedHmac = createHmac('sha256', testSecret)
-      .update(signaturePayload)
+      .update(`${testTimestamp}.${testPayload}`)
       .digest('hex')
 
+    expect(signature).toMatch(/^v1=\d+\.[a-f0-9]{64}$/i)
     expect(hmac).toBe(expectedHmac)
   })
 })
 
 describe('webhook signature verification', () => {
-  const testSecret = 'whsec_test_secret_key_12345'
+  const testSecret = `whsec_${Buffer.from('12345678901234567890123456789012').toString('base64')}`
+  const messageId = 'evt_test_123'
   const testTimestamp = '1704067200'
-  const testPayload = JSON.stringify({ event: 'test.ping' })
+  const testPayload = JSON.stringify({ type: 'test.ping', event: 'test.ping' })
 
-  it('should verify valid signature', async () => {
-    const signature = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const result = verifyWebhookSignature(signature, testSecret, testPayload)
+  it('should verify valid Standard Webhooks signature', async () => {
+    const signature = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const result = verifyStandardWebhookSignature(signature, testSecret, messageId, testTimestamp, testPayload)
 
     expect(result.valid).toBe(true)
-    expect(result.timestamp).toBe(testTimestamp)
     expect(result.error).toBeUndefined()
   })
 
-  it('should reject signature with wrong secret', async () => {
-    const signature = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const result = verifyWebhookSignature(signature, 'wrong_secret', testPayload)
+  it('should reject Standard Webhooks signature with wrong secret', async () => {
+    const signature = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const result = verifyStandardWebhookSignature(
+      signature,
+      `whsec_${Buffer.from('abcdefabcdefabcdefabcdefabcdef12').toString('base64')}`,
+      messageId,
+      testTimestamp,
+      testPayload,
+    )
 
     expect(result.valid).toBe(false)
     expect(result.error).toBe('HMAC verification failed')
   })
 
-  it('should reject signature with tampered payload', async () => {
-    const signature = await generateWebhookSignature(testSecret, testTimestamp, testPayload)
-    const tamperedPayload = JSON.stringify({ event: 'test.ping', tampered: true })
-    const result = verifyWebhookSignature(signature, testSecret, tamperedPayload)
+  it('should reject Standard Webhooks signature with tampered payload', async () => {
+    const signature = await generateStandardWebhookSignature(testSecret, messageId, testTimestamp, testPayload)
+    const tamperedPayload = JSON.stringify({ type: 'test.ping', event: 'test.ping', tampered: true })
+    const result = verifyStandardWebhookSignature(signature, testSecret, messageId, testTimestamp, tamperedPayload)
 
     expect(result.valid).toBe(false)
     expect(result.error).toBe('HMAC verification failed')
   })
 
-  it('should reject malformed signatures', () => {
-    const body = '{"test": true}'
-    const secret = 'test_secret'
+  it('should still verify legacy Capgo signatures', async () => {
+    const legacySecret = 'whsec_test_secret_key_12345'
+    const signature = await generateWebhookSignature(legacySecret, testTimestamp, testPayload)
+    const result = verifyLegacyWebhookSignature(signature, legacySecret, testPayload)
+
+    expect(result.valid).toBe(true)
+    expect(result.timestamp).toBe(testTimestamp)
+  })
 
-    // Missing version prefix
-    expect(verifyWebhookSignature('1234567890.abc123', secret, body).valid).toBe(false)
+  it('should reject malformed Standard Webhooks signatures', () => {
+    expect(verifyStandardWebhookSignature('1234567890.abc123', testSecret, messageId, testTimestamp, testPayload).valid).toBe(false)
 
-    // Invalid format
-    expect(verifyWebhookSignature('invalid', secret, body).valid).toBe(false)
+    expect(verifyStandardWebhookSignature('invalid', testSecret, messageId, testTimestamp, testPayload).valid).toBe(false)
 
-    // Empty signature
-    expect(verifyWebhookSignature('', secret, body).valid).toBe(false)
+    expect(verifyStandardWebhookSignature('', testSecret, messageId, testTimestamp, testPayload).valid).toBe(false)
   })
 })
 
@@ -249,6 +240,7 @@ describe('webhook creation and secret generation', () => {
         name: `Signature Test Webhook ${globalId}`,
         url: webhookUrl,
         events: ['app_versions'],
+        deliveryVersion: 'standard',
       }),
     })
 
@@ -272,7 +264,8 @@ describe('webhook creation and secret generation', () => {
     expect(webhook).not.toBeNull()
     expect(webhook.secret).toBeDefined()
     expect(typeof webhook.secret).toBe('string')
-    expect(webhook.secret.length).toBeGreaterThan(0)
+    expect(webhook.secret).toMatch(/^whsec_[A-Za-z0-9+/]+={0,2}$/)
+    expect(Buffer.from(webhook.secret.slice('whsec_'.length), 'base64')).toHaveLength(32)
 
     webhookSecret = webhook.secret
   })
@@ -307,23 +300,25 @@ describe('webhook creation and secret generation', () => {
     await (getSupabaseClient() as any).from('webhooks').delete().eq('id', anotherWebhookId)
   })
 
-  it('should be able to verify a signature with the stored secret', async () => {
+  it('should be able to verify a Standard Webhooks signature with the stored secret', async () => {
     expect(webhookSecret).not.toBeNull()
 
     const timestamp = Math.floor(Date.now() / 1000).toString()
+    const messageId = randomUUID()
     const payload = JSON.stringify({
+      type: 'test.ping',
       event: 'test.ping',
+      event_id: messageId,
       org_id: WEBHOOK_TEST_ORG_ID,
     })
 
     // Generate signature with the real secret
-    const signature = await generateWebhookSignature(webhookSecret!, timestamp, payload)
+    const signature = await generateStandardWebhookSignature(webhookSecret!, messageId, timestamp, payload)
 
     // Verify it can be validated
-    const result = verifyWebhookSignature(signature, webhookSecret!, payload)
+    const result = verifyStandardWebhookSignature(signature, webhookSecret!, messageId, timestamp, payload)
 
     expect(result.valid).toBe(true)
-    expect(result.timestamp).toBe(timestamp)
   })
 })
 
@@ -365,6 +360,7 @@ describe('webhook delivery record creation', () => {
 
     const delivery = deliveries[0]
     expect(delivery.request_payload).toBeDefined()
+    expect(delivery.request_payload.type).toBe('test.ping')
     expect(delivery.request_payload.event).toBe('test.ping')
     expect(delivery.request_payload.org_id).toBe(WEBHOOK_TEST_ORG_ID)
     expect(delivery.request_payload.event_id).toBeDefined()
@@ -386,43 +382,49 @@ describe('webhook delivery record creation', () => {
 
 describe('signature security properties', () => {
   it('should use HMAC-SHA256 producing 256-bit signatures', async () => {
-    const signature = await generateWebhookSignature('secret', '12345', '{}')
-    const hmac = signature.split('.')[1]
+    const secret = `whsec_${Buffer.from('12345678901234567890123456789012').toString('base64')}`
+    const signature = await generateStandardWebhookSignature(secret, 'evt_123', '12345', '{}')
+    const hmac = signature.split(',')[1]
 
-    // 256 bits = 32 bytes = 64 hex characters
-    expect(hmac.length).toBe(64)
+    // 256 bits = 32 bytes = 44 base64 characters with padding
+    expect(Buffer.from(hmac, 'base64')).toHaveLength(32)
   })
 
   it('should include timestamp to prevent replay attacks', async () => {
-    const secret = 'test_secret'
+    const secret = `whsec_${Buffer.from('12345678901234567890123456789012').toString('base64')}`
+    const messageId = 'evt_replay_test'
     const payload = '{}'
 
     const oldTimestamp = '1609459200' // 2021-01-01
     const newTimestamp = '1704067200' // 2024-01-01
 
-    const oldSig = await generateWebhookSignature(secret, oldTimestamp, payload)
-    const newSig = await generateWebhookSignature(secret, newTimestamp, payload)
+    const oldSig = await generateStandardWebhookSignature(secret, messageId, oldTimestamp, payload)
+    const newSig = await generateStandardWebhookSignature(secret, messageId, newTimestamp, payload)
 
     // Different timestamps = different signatures
     expect(oldSig).not.toBe(newSig)
+  })
+
+  it('should include message id to bind signatures to idempotency keys', async () => {
+    const secret = `whsec_${Buffer.from('12345678901234567890123456789012').toString('base64')}`
+    const timestamp = '1704067200'
+    const payload = '{}'
 
-    // Old signature cannot be used with new timestamp for verification
-    // (the timestamp in signature won't match what receiver expects)
-    const oldParsed = oldSig.match(/^v1=(\d+)\./)
-    expect(oldParsed![1]).toBe(oldTimestamp)
+    const firstSig = await generateStandardWebhookSignature(secret, 'evt_1', timestamp, payload)
+    const secondSig = await generateStandardWebhookSignature(secret, 'evt_2', timestamp, payload)
 
-    const newParsed = newSig.match(/^v1=(\d+)\./)
-    expect(newParsed![1]).toBe(newTimestamp)
+    expect(firstSig).not.toBe(secondSig)
   })
 
   it('should produce unique signatures for different payloads', async () => {
-    const secret = 'test_secret'
+    const secret = `whsec_${Buffer.from('12345678901234567890123456789012').toString('base64')}`
+    const messageId = 'evt_unique_payload'
     const timestamp = '1704067200'
     const signatures = new Set<string>()
 
     for (let i = 0; i < 100; i++) {
       const payload = JSON.stringify({ event: 'test', nonce: i })
-      const sig = await generateWebhookSignature(secret, timestamp, payload)
+      const sig = await generateStandardWebhookSignature(secret, messageId, timestamp, payload)
       signatures.add(sig)
     }
 
diff --git a/tests/webhooks.test.ts b/tests/webhooks.test.ts
index 8b09b49bff..45cef5517e 100644
--- a/tests/webhooks.test.ts
+++ b/tests/webhooks.test.ts
@@ -1,7 +1,13 @@
 import { randomUUID } from 'node:crypto'
+import { createClient } from '@supabase/supabase-js'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
 
-import { BASE_URL, fetchWithRetry, getSupabaseClient, headers, TEST_EMAIL, USER_ID } from './test-utils.ts'
+import { fetchWithRetry, getAuthHeaders, getEndpointUrl, getSupabaseClient, headers, SUPABASE_ANON_KEY, SUPABASE_BASE_URL, TEST_EMAIL, USER_ID } from './test-utils.ts'
+
+// This file intentionally runs sequentially because it exercises one webhook
+// lifecycle across create, list, update, test, delivery, and delete steps.
+// Each test file still creates unique org/app fixtures, so parallel execution
+// with other files remains isolated.
 
 // Test org and webhook IDs
 const WEBHOOK_TEST_ORG_ID = randomUUID()
@@ -12,11 +18,36 @@ const webhookUrl = 'https://example.com/webhook'
 const customerId = `cus_test_${WEBHOOK_TEST_ORG_ID}`
 
 let createdWebhookId: string | null = null
+let standardWebhookId: string | null = null
 let lastDeliveryId: string | null = null
 let appScopedKeyId: number | null = null
 let appScopedKey: string | null = null
 let orgScopedSubkeyId: number | null = null
 
+const webhookEndpoint = (path = '') => getEndpointUrl(`/webhooks${path}`)
+
+function expectSanitizedUrlInfo(data: any, protocol = 'http') {
+  expect(JSON.stringify(data)).not.toContain('secret-token')
+  expect(data.moreInfo?.urlInfo).toMatchObject({
+    valid: true,
+    protocol,
+    hasQuery: true,
+    hasCredentials: false,
+  })
+}
+
+async function getAuthenticatedAnonClient() {
+  const authHeaders = await getAuthHeaders()
+  return createClient(SUPABASE_BASE_URL, SUPABASE_ANON_KEY, {
+    auth: { persistSession: false },
+    global: {
+      headers: {
+        Authorization: authHeaders.Authorization,
+      },
+    },
+  })
+}
+
 beforeAll(async () => {
   // Create stripe_info for this test org
   const { error: stripeError } = await getSupabaseClient().from('stripe_info').insert({
@@ -41,6 +72,14 @@ beforeAll(async () => {
   if (error)
     throw error
 
+  const { error: memberError } = await getSupabaseClient().from('org_users').insert({
+    org_id: WEBHOOK_TEST_ORG_ID,
+    user_id: USER_ID,
+    user_right: 'super_admin',
+  })
+  if (memberError)
+    throw memberError
+
   const { error: appError } = await getSupabaseClient().from('apps').insert({
     app_id: webhookAppId,
     name: `Webhook Test App ${globalId}`,
@@ -88,6 +127,9 @@ afterAll(async () => {
   if (createdWebhookId) {
     await (getSupabaseClient() as any).from('webhooks').delete().eq('id', createdWebhookId)
   }
+  if (standardWebhookId) {
+    await (getSupabaseClient() as any).from('webhooks').delete().eq('id', standardWebhookId)
+  }
   if (appScopedKeyId) {
     await getSupabaseClient().from('apikeys').delete().eq('id', appScopedKeyId)
   }
@@ -95,6 +137,7 @@ afterAll(async () => {
     await getSupabaseClient().from('apikeys').delete().eq('id', orgScopedSubkeyId)
   }
   await getSupabaseClient().from('apps').delete().eq('app_id', webhookAppId)
+  await getSupabaseClient().from('org_users').delete().eq('org_id', WEBHOOK_TEST_ORG_ID)
   // Clean up test organization and stripe_info
   await getSupabaseClient().from('orgs').delete().eq('id', WEBHOOK_TEST_ORG_ID)
   await getSupabaseClient().from('stripe_info').delete().eq('customer_id', customerId)
@@ -102,16 +145,25 @@ afterAll(async () => {
 
 describe('[GET] /webhooks', () => {
   it('list webhooks for organization', async () => {
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}`, {
+    const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}`), {
+      headers,
+    })
+    expect(response.status).toBe(200)
+    const data = await response.json() as { secret?: string }[]
+    expect(Array.isArray(data)).toBe(true)
+  })
+
+  it('list webhooks with query-string pagination', async () => {
+    const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&page=0`), {
       headers,
     })
     expect(response.status).toBe(200)
-    const data = await response.json()
+    const data = await response.json() as unknown[]
     expect(Array.isArray(data)).toBe(true)
   })
 
   it('list webhooks with missing orgId', async () => {
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks`, {
+    const response = await fetchWithRetry(webhookEndpoint(), {
       headers,
     })
     expect(response.status).toBe(400)
@@ -121,7 +173,7 @@ describe('[GET] /webhooks', () => {
 
   it('list webhooks with invalid orgId', async () => {
     const invalidOrgId = randomUUID()
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks?orgId=${invalidOrgId}`, {
+    const response = await fetchWithRetry(webhookEndpoint(`?orgId=${invalidOrgId}`), {
       headers,
     })
     expect(response.status).toBe(400)
@@ -131,7 +183,7 @@ describe('[GET] /webhooks', () => {
     if (!appScopedKey || !orgScopedSubkeyId)
       throw new Error('Webhook subkey list prerequisites were not created')
 
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}`, {
+    const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}`), {
       headers: {
         'Content-Type': 'application/json',
         'authorization': appScopedKey,
@@ -148,7 +200,7 @@ describe('[GET] /webhooks', () => {
 
 describe('[POST] /webhooks', () => {
   it('create webhook', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -160,17 +212,86 @@ describe('[POST] /webhooks', () => {
     })
 
     expect(response.status).toBe(201)
-    const data = await response.json() as { status: string, webhook: { id: string, name: string, url: string } }
+    const data = await response.json() as { status: string, webhook: { id: string, name: string, url: string, secret: string, delivery_version: string } }
     expect(data.status).toBe('Webhook created')
     expect(data.webhook).toBeDefined()
     expect(data.webhook.name).toBe(webhookName)
     expect(data.webhook.url).toBe(webhookUrl)
+    expect(data.webhook.delivery_version).toBe('legacy')
+    expect(data.webhook.secret).toMatch(/^whsec_[A-Za-z0-9+/]+={0,2}$/)
 
     createdWebhookId = data.webhook.id
   })
 
+  it('create webhook with Standard Webhooks delivery version', async () => {
+    const response = await fetch(webhookEndpoint(), {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        orgId: WEBHOOK_TEST_ORG_ID,
+        name: `Standard Webhook ${globalId}`,
+        url: webhookUrl,
+        events: ['app_versions'],
+        deliveryVersion: 'standard',
+      }),
+    })
+
+    expect(response.status).toBe(201)
+    const data = await response.json() as { webhook: { id: string, delivery_version: string, secret: string } }
+    expect(data.webhook.delivery_version).toBe('standard')
+    expect(data.webhook.secret).toMatch(/^whsec_[A-Za-z0-9+/]+={0,2}$/)
+    standardWebhookId = data.webhook.id
+  })
+
+  it('allows console JWT webhook listing through the API', async () => {
+    const authHeaders = await getAuthHeaders()
+    const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}`), {
+      headers: authHeaders,
+    })
+
+    expect(response.status).toBe(200)
+    const data = await response.json() as { secret?: string }[]
+    expect(Array.isArray(data)).toBe(true)
+    expect(data.every((webhook: { secret?: string }) => webhook.secret === undefined)).toBe(true)
+  })
+
+  it('blocks direct Supabase SDK CRUD access to webhook rows', async () => {
+    if (!createdWebhookId)
+      throw new Error('Webhook was not created in previous test')
+
+    const directClient = await getAuthenticatedAnonClient()
+    const { error: selectError } = await (directClient as any)
+      .from('webhooks')
+      .select('id')
+      .eq('id', createdWebhookId)
+
+    const { error: insertError } = await (directClient as any)
+      .from('webhooks')
+      .insert({
+        org_id: WEBHOOK_TEST_ORG_ID,
+        name: 'Blocked direct insert',
+        url: webhookUrl,
+        events: ['app_versions'],
+      })
+
+    const { error: updateError } = await (directClient as any)
+      .from('webhooks')
+      .update({ name: 'Blocked direct update' })
+      .eq('id', createdWebhookId)
+
+    const { error: deleteError } = await (directClient as any)
+      .from('webhooks')
+      .delete()
+      .eq('id', createdWebhookId)
+
+    expect(selectError?.code).toBe('42501')
+    expect(insertError?.code).toBe('42501')
+    expect(updateError?.code).toBe('42501')
+    expect(deleteError?.code).toBe('42501')
+  })
+
   it('create webhook with missing required fields', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -185,7 +306,7 @@ describe('[POST] /webhooks', () => {
   })
 
   it('create webhook with invalid URL', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -201,23 +322,24 @@ describe('[POST] /webhooks', () => {
   })
 
   it('create webhook with HTTP URL (non-HTTPS)', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         name: 'HTTP URL Webhook',
-        url: 'http://example.com/webhook',
+        url: 'http://example.com/webhook?token=secret-token',
         events: ['app_versions'],
       }),
     })
     expect(response.status).toBe(400)
-    const data = await response.json() as { error: string }
+    const data = await response.json() as { error: string, moreInfo?: any }
     expect(data.error).toBe('invalid_url')
+    expectSanitizedUrlInfo(data)
   })
 
   it('create webhook with invalid events', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -232,8 +354,25 @@ describe('[POST] /webhooks', () => {
     expect(data.error).toBe('invalid_events')
   })
 
+  it('create webhook with invalid delivery version', async () => {
+    const response = await fetch(webhookEndpoint(), {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({
+        orgId: WEBHOOK_TEST_ORG_ID,
+        name: 'Invalid Version Webhook',
+        url: webhookUrl,
+        events: ['app_versions'],
+        deliveryVersion: 'invalid',
+      }),
+    })
+    expect(response.status).toBe(400)
+    const data = await response.json() as { error: string }
+    expect(data.error).toBe('invalid_delivery_version')
+  })
+
   it('create webhook with empty events array', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -250,7 +389,7 @@ describe('[POST] /webhooks', () => {
 
   it('create webhook with invalid orgId', async () => {
     const invalidOrgId = randomUUID()
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -264,7 +403,7 @@ describe('[POST] /webhooks', () => {
   })
 
   it('create webhook rejects localhost URL', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -285,19 +424,21 @@ describe('[GET] /webhooks (single webhook)', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`, {
+    const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
       headers,
     })
     expect(response.status).toBe(200)
-    const data = await response.json() as { id: string, name: string, stats_24h: object }
+    const data = await response.json() as { id: string, name: string, delivery_version: string, secret?: string, stats_24h: object }
     expect(data.id).toBe(createdWebhookId)
     expect(data.name).toBe(webhookName)
+    expect(data.delivery_version).toBe('legacy')
+    expect(data.secret).toBeUndefined()
     expect(data.stats_24h).toBeDefined()
   })
 
   it('get webhook with invalid webhookId', async () => {
     const invalidWebhookId = randomUUID()
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`, {
+    const response = await fetchWithRetry(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`), {
       headers,
     })
     expect(response.status).toBe(400)
@@ -312,7 +453,7 @@ describe('[PUT] /webhooks', () => {
       throw new Error('Webhook was not created in previous test')
 
     const newName = `Updated Webhook ${globalId}`
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -322,9 +463,10 @@ describe('[PUT] /webhooks', () => {
       }),
     })
     expect(response.status).toBe(200)
-    const data = await response.json() as { status: string, webhook: { name: string } }
+    const data = await response.json() as { status: string, webhook: { name: string, secret?: string } }
     expect(data.status).toBe('Webhook updated')
     expect(data.webhook.name).toBe(newName)
+    expect(data.webhook.secret).toBeUndefined()
   })
 
   it('update webhook URL', async () => {
@@ -332,7 +474,7 @@ describe('[PUT] /webhooks', () => {
       throw new Error('Webhook was not created in previous test')
 
     const newUrl = 'https://updated.example.com/webhook'
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -350,7 +492,7 @@ describe('[PUT] /webhooks', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -369,7 +511,7 @@ describe('[PUT] /webhooks', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -383,7 +525,7 @@ describe('[PUT] /webhooks', () => {
     expect(data.webhook.enabled).toBe(false)
 
     // Re-enable for subsequent tests
-    await fetch(`${BASE_URL}/webhooks`, {
+    await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -394,11 +536,42 @@ describe('[PUT] /webhooks', () => {
     })
   })
 
+  it('update webhook delivery version', async () => {
+    if (!createdWebhookId)
+      throw new Error('Webhook was not created in previous test')
+
+    const standardResponse = await fetch(webhookEndpoint(), {
+      method: 'PUT',
+      headers,
+      body: JSON.stringify({
+        orgId: WEBHOOK_TEST_ORG_ID,
+        webhookId: createdWebhookId,
+        deliveryVersion: 'standard',
+      }),
+    })
+    expect(standardResponse.status).toBe(200)
+    const standardData = await standardResponse.json() as { webhook: { delivery_version: string } }
+    expect(standardData.webhook.delivery_version).toBe('standard')
+
+    const legacyResponse = await fetch(webhookEndpoint(), {
+      method: 'PUT',
+      headers,
+      body: JSON.stringify({
+        orgId: WEBHOOK_TEST_ORG_ID,
+        webhookId: createdWebhookId,
+        deliveryVersion: 'legacy',
+      }),
+    })
+    expect(legacyResponse.status).toBe(200)
+    const legacyData = await legacyResponse.json() as { webhook: { delivery_version: string } }
+    expect(legacyData.webhook.delivery_version).toBe('legacy')
+  })
+
   it('update webhook with no fields', async () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -413,7 +586,7 @@ describe('[PUT] /webhooks', () => {
 
   it('update webhook with invalid webhookId', async () => {
     const invalidWebhookId = randomUUID()
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -431,7 +604,7 @@ describe('[PUT] /webhooks', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
@@ -449,18 +622,19 @@ describe('[PUT] /webhooks', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'PUT',
       headers,
       body: JSON.stringify({
         orgId: WEBHOOK_TEST_ORG_ID,
         webhookId: createdWebhookId,
-        url: 'http://example.com/webhook',
+        url: 'http://example.com/webhook?token=secret-token',
       }),
     })
     expect(response.status).toBe(400)
-    const data = await response.json() as { error: string }
+    const data = await response.json() as { error: string, moreInfo?: any }
     expect(data.error).toBe('invalid_url')
+    expectSanitizedUrlInfo(data)
   })
 })
 
@@ -469,7 +643,7 @@ describe('[POST] /webhooks/test', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetch(`${BASE_URL}/webhooks/test`, {
+    const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -486,9 +660,25 @@ describe('[POST] /webhooks/test', () => {
     lastDeliveryId = data.delivery_id
   })
 
+  it('stores legacy test deliveries without the Standard Webhooks type field', async () => {
+    if (!lastDeliveryId)
+      throw new Error('Webhook test delivery was not created')
+
+    const { data: delivery, error } = await (getSupabaseClient() as any)
+      .from('webhook_deliveries')
+      .select('delivery_version, request_payload')
+      .eq('id', lastDeliveryId)
+      .single()
+
+    expect(error).toBeNull()
+    expect(delivery.delivery_version).toBe('legacy')
+    expect(delivery.request_payload.type).toBeUndefined()
+    expect(delivery.request_payload.event).toBe('test.ping')
+  })
+
   it('test webhook with invalid webhookId', async () => {
     const invalidWebhookId = randomUUID()
-    const response = await fetch(`${BASE_URL}/webhooks/test`, {
+    const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -501,8 +691,40 @@ describe('[POST] /webhooks/test', () => {
     expect(data.error).toBe('webhook_not_found')
   })
 
+  it('test webhook with invalid stored URL omits raw URL details', async () => {
+    if (!createdWebhookId)
+      throw new Error('Webhook was not created in previous test')
+
+    const { error: updateError } = await (getSupabaseClient() as any)
+      .from('webhooks')
+      .update({ url: 'http://example.com/webhook-test?token=secret-token' })
+      .eq('id', createdWebhookId)
+    expect(updateError).toBeNull()
+
+    try {
+      const response = await fetch(webhookEndpoint('/test'), {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+          orgId: WEBHOOK_TEST_ORG_ID,
+          webhookId: createdWebhookId,
+        }),
+      })
+      expect(response.status).toBe(400)
+      const data = await response.json() as { error: string, moreInfo?: any }
+      expect(data.error).toBe('invalid_url')
+      expectSanitizedUrlInfo(data)
+    }
+    finally {
+      await (getSupabaseClient() as any)
+        .from('webhooks')
+        .update({ url: webhookUrl })
+        .eq('id', createdWebhookId)
+    }
+  })
+
   it('test webhook with missing body', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks/test`, {
+    const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
       headers,
       body: JSON.stringify({}),
@@ -517,7 +739,7 @@ describe('[POST] /webhooks/test', () => {
     if (!createdWebhookId || !appScopedKey)
       throw new Error('Webhook test prerequisites were not created')
 
-    const response = await fetch(`${BASE_URL}/webhooks/test`, {
+    const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
@@ -539,7 +761,7 @@ describe('[POST] /webhooks/test', () => {
     if (!createdWebhookId || !appScopedKey || !orgScopedSubkeyId)
       throw new Error('Webhook subkey test prerequisites were not created')
 
-    const response = await fetch(`${BASE_URL}/webhooks/test`, {
+    const response = await fetch(webhookEndpoint('/test'), {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
@@ -564,7 +786,7 @@ describe('[GET] /webhooks/deliveries', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`, {
+    const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
       headers,
     })
     expect(response.status).toBe(200)
@@ -575,11 +797,38 @@ describe('[GET] /webhooks/deliveries', () => {
     expect(data.pagination.per_page).toBe(50)
   })
 
+  it('allows console JWT delivery listing through the API', async () => {
+    if (!createdWebhookId)
+      throw new Error('Webhook was not created in previous test')
+
+    const authHeaders = await getAuthHeaders()
+    const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
+      headers: authHeaders,
+    })
+
+    expect(response.status).toBe(200)
+    const data = await response.json() as { deliveries: any[] }
+    expect(Array.isArray(data.deliveries)).toBe(true)
+  })
+
+  it('blocks direct Supabase SDK access to webhook delivery rows', async () => {
+    if (!lastDeliveryId)
+      throw new Error('Webhook delivery was not created in previous test')
+
+    const directClient = await getAuthenticatedAnonClient()
+    const { error } = await (directClient as any)
+      .from('webhook_deliveries')
+      .select('id')
+      .eq('id', lastDeliveryId)
+
+    expect(error?.code).toBe('42501')
+  })
+
   it('get webhook deliveries with status filter', async () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}&status=success`, {
+    const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}&status=success`), {
       headers,
     })
     expect(response.status).toBe(200)
@@ -591,7 +840,7 @@ describe('[GET] /webhooks/deliveries', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}&page=0`, {
+    const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}&page=0`), {
       headers,
     })
     expect(response.status).toBe(200)
@@ -601,7 +850,7 @@ describe('[GET] /webhooks/deliveries', () => {
 
   it('get webhook deliveries with invalid webhookId', async () => {
     const invalidWebhookId = randomUUID()
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`, {
+    const response = await fetchWithRetry(webhookEndpoint(`/deliveries?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`), {
       headers,
     })
     expect(response.status).toBe(400)
@@ -610,7 +859,7 @@ describe('[GET] /webhooks/deliveries', () => {
   })
 
   it('get webhook deliveries with missing body', async () => {
-    const response = await fetchWithRetry(`${BASE_URL}/webhooks/deliveries`, {
+    const response = await fetchWithRetry(webhookEndpoint('/deliveries'), {
       headers,
     })
     expect(response.status).toBe(400)
@@ -622,7 +871,7 @@ describe('[GET] /webhooks/deliveries', () => {
 describe('[POST] /webhooks/deliveries/retry', () => {
   it('retry delivery with invalid deliveryId', async () => {
     const invalidDeliveryId = randomUUID()
-    const response = await fetch(`${BASE_URL}/webhooks/deliveries/retry`, {
+    const response = await fetch(webhookEndpoint('/deliveries/retry'), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -639,7 +888,7 @@ describe('[POST] /webhooks/deliveries/retry', () => {
     if (!lastDeliveryId || !appScopedKey)
       throw new Error('Delivery retry prerequisites were not created')
 
-    const response = await fetch(`${BASE_URL}/webhooks/deliveries/retry`, {
+    const response = await fetch(webhookEndpoint('/deliveries/retry'), {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
@@ -661,7 +910,7 @@ describe('[POST] /webhooks/deliveries/retry', () => {
     if (!lastDeliveryId || !appScopedKey || !orgScopedSubkeyId)
       throw new Error('Delivery retry subkey prerequisites were not created')
 
-    const response = await fetch(`${BASE_URL}/webhooks/deliveries/retry`, {
+    const response = await fetch(webhookEndpoint('/deliveries/retry'), {
       method: 'POST',
       headers: {
         'Content-Type': 'application/json',
@@ -680,8 +929,126 @@ describe('[POST] /webhooks/deliveries/retry', () => {
     expect(data.message).toContain('App-scoped API keys')
   })
 
+  it('rejects retrying pending deliveries', async () => {
+    if (!createdWebhookId)
+      throw new Error('Webhook was not created in previous test')
+
+    const pendingDeliveryId = randomUUID()
+    const { error: insertError } = await (getSupabaseClient() as any)
+      .from('webhook_deliveries')
+      .insert({
+        id: pendingDeliveryId,
+        webhook_id: createdWebhookId,
+        org_id: WEBHOOK_TEST_ORG_ID,
+        event_type: 'app_versions.INSERT',
+        request_payload: {
+          event: 'app_versions.INSERT',
+          event_id: randomUUID(),
+          timestamp: new Date().toISOString(),
+          org_id: WEBHOOK_TEST_ORG_ID,
+          data: {
+            table: 'app_versions',
+            operation: 'INSERT',
+            record_id: randomUUID(),
+            old_record: null,
+            new_record: null,
+            changed_fields: null,
+          },
+        },
+        delivery_version: 'legacy',
+        status: 'pending',
+      })
+    expect(insertError).toBeNull()
+
+    try {
+      const response = await fetch(webhookEndpoint('/deliveries/retry'), {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+          orgId: WEBHOOK_TEST_ORG_ID,
+          deliveryId: pendingDeliveryId,
+        }),
+      })
+      expect(response.status).toBe(400)
+      const data = await response.json() as { error: string }
+      expect(data.error).toBe('delivery_not_failed')
+    }
+    finally {
+      await (getSupabaseClient() as any)
+        .from('webhook_deliveries')
+        .delete()
+        .eq('id', pendingDeliveryId)
+    }
+  })
+
+  it('retry delivery with invalid webhook URL omits raw URL details', async () => {
+    if (!createdWebhookId)
+      throw new Error('Webhook was not created in previous test')
+
+    const failedDeliveryId = randomUUID()
+    const { error: insertError } = await (getSupabaseClient() as any)
+      .from('webhook_deliveries')
+      .insert({
+        id: failedDeliveryId,
+        webhook_id: createdWebhookId,
+        org_id: WEBHOOK_TEST_ORG_ID,
+        event_type: 'app_versions.INSERT',
+        request_payload: {
+          event: 'app_versions.INSERT',
+          event_id: randomUUID(),
+          timestamp: new Date().toISOString(),
+          org_id: WEBHOOK_TEST_ORG_ID,
+          data: {
+            table: 'app_versions',
+            operation: 'INSERT',
+            record_id: randomUUID(),
+            old_record: null,
+            new_record: null,
+            changed_fields: null,
+          },
+        },
+        delivery_version: 'legacy',
+        status: 'failed',
+        response_status: 500,
+        response_body: 'failed test delivery',
+        attempt_count: 1,
+      })
+    expect(insertError).toBeNull()
+
+    const { error: updateError } = await (getSupabaseClient() as any)
+      .from('webhooks')
+      .update({ url: 'http://example.com/retry-webhook?token=secret-token' })
+      .eq('id', createdWebhookId)
+    expect(updateError).toBeNull()
+
+    try {
+      const response = await fetch(webhookEndpoint('/deliveries/retry'), {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+          orgId: WEBHOOK_TEST_ORG_ID,
+          deliveryId: failedDeliveryId,
+        }),
+      })
+      expect(response.status).toBe(400)
+      const data = await response.json() as { error: string, moreInfo?: any }
+      expect(data.error).toBe('invalid_url')
+      expectSanitizedUrlInfo(data)
+    }
+    finally {
+      await (getSupabaseClient() as any)
+        .from('webhooks')
+        .update({ url: webhookUrl })
+        .eq('id', createdWebhookId)
+      await (getSupabaseClient() as any)
+        .from('webhook_deliveries')
+        .delete()
+        .eq('id', failedDeliveryId)
+    }
+  })
+
   it('retry delivery with missing body', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks/deliveries/retry`, {
+    const response = await fetch(webhookEndpoint('/deliveries/retry'), {
       method: 'POST',
       headers,
       body: JSON.stringify({}),
@@ -696,7 +1063,7 @@ describe('[POST] /webhooks/deliveries/retry', () => {
 describe('[DELETE] /webhooks', () => {
   it('delete webhook with invalid webhookId', async () => {
     const invalidWebhookId = randomUUID()
-    const response = await fetch(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`, {
+    const response = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${invalidWebhookId}`), {
       method: 'DELETE',
       headers,
     })
@@ -706,7 +1073,7 @@ describe('[DELETE] /webhooks', () => {
   })
 
   it('delete webhook with missing body', async () => {
-    const response = await fetch(`${BASE_URL}/webhooks`, {
+    const response = await fetch(webhookEndpoint(), {
       method: 'DELETE',
       headers,
     })
@@ -720,7 +1087,7 @@ describe('[DELETE] /webhooks', () => {
     if (!createdWebhookId)
       throw new Error('Webhook was not created in previous test')
 
-    const response = await fetch(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`, {
+    const response = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
       method: 'DELETE',
       headers,
     })
@@ -730,7 +1097,7 @@ describe('[DELETE] /webhooks', () => {
     expect(data.webhookId).toBe(createdWebhookId)
 
     // Verify deletion
-    const getResponse = await fetch(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`, {
+    const getResponse = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${createdWebhookId}`), {
       headers,
     })
     expect(getResponse.status).toBe(400)
@@ -740,7 +1107,7 @@ describe('[DELETE] /webhooks', () => {
 
   it('delete already deleted webhook', async () => {
     // Create a new webhook to delete
-    const createResponse = await fetch(`${BASE_URL}/webhooks`, {
+    const createResponse = await fetch(webhookEndpoint(), {
       method: 'POST',
       headers,
       body: JSON.stringify({
@@ -754,13 +1121,13 @@ describe('[DELETE] /webhooks', () => {
     const webhookId = createData.webhook.id
 
     // First deletion
-    await fetch(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${webhookId}`, {
+    await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${webhookId}`), {
       method: 'DELETE',
       headers,
     })
 
     // Second deletion attempt
-    const response = await fetch(`${BASE_URL}/webhooks?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${webhookId}`, {
+    const response = await fetch(webhookEndpoint(`?orgId=${WEBHOOK_TEST_ORG_ID}&webhookId=${webhookId}`), {
       method: 'DELETE',
       headers,
     })