Securing Callback Url Endpoint in FHIR Subscription

Hi All,
We are implementing pub-sub system based on FHIR Subscription and Notification Resources.
At present evaluating best practices for securing callback url endpoint.
FHIR Subscription specification says in one example to pass Auth token as header itself in subscription.
Is there any other way which industry has implemented or defined.

There is still a bit of an open question on the security piece here. The approaches I am aware of for testing right now are:

I am hoping to dedicate some time to discussion and testing of this at the Connectathon in September.