Starling provides a X-Hook-Signature in the header to confirm that the request is actually from Starling. It doesn't appear to be used which could lead to anyone posting data to the endpoint.

Starling docs -> Webhooks

Correct, but by choice.

We implemented a simpler version of this so that it works across multiple providers consistently.

https://github.com/fintech-to-ynab/fintech-to-ynab/wiki/Getting-Started#url-secret-optional