By default, an API Key can be used for any action or webhook.
This is because it has the privileges of the admin user that created it.
But you can associate an API key with a user, by using st2 apikey create -u <user>.
Then set up a role with limited access, and map that user to that role.
The role should look something like:
---
name: "webhook"
description: "Send permission to one specific webhook"
enabled: true
permission_grants:
-
resource_uid: "webhook:<name>"
permission_types:
- "webhook_send"
See this Github Issue for more information and examples.