HMAC signatures are very commonly used for webhook authorization from service to consumer.
Examples:
and hundreds and hundreds more. This seems a near universal design decision.
Yet, the other direction (consumer to service) never uses HMAC signatures. The mechanism varies, but in some cases secrets are put directly in headers.
Why is HMAC so strongly preferred for service to consumer HTTP messages, but not consumer to service?