For a heroku app, I have a webhook for "api:release".
Even if I set a secret for the webhook, my webhook app still receives the hook.
So what's the point of setting the optional secret ?
Anyone can hit your webhook and trigger your build because it's a HTTP endpoint with no authentication. To prevent scripts/abusers starting a massive amount of builds the secret can be used.
When receiving the webhook the sender has to include a token, this token can be validated by comparing it to the secret. If the tokens match it is same to assume that a valid client send it. If the token doesn't match uo you can ignore the request and thus prevent an unnecessary build that was initiated from an untrusted source.
More details about setting up the secrets: https://devcenter.heroku.com/articles/app-webhooks#step-3-subscribe
To compare the checksum you can use the following snippet:
crypto.createHmac('sha256', '12345').update(Buffer.from(req.rawBody)).digest('base64');
and compare it with the Heroku-Webhook-Hmac-SHA256 header value.