Currently, the Port Execution Agent verifies incoming events by validating the X-Port-Signature header, which is signed using the organization-level Client Secret. This means that even when a service account is configured as the agent's credentials, the signature verification still relies on the org-level secret — not the service account credentials.

This creates a security concern for customers with strict internal security standards, who prefer to use service account credentials to limit blast radius in case of a credential leak, following the principle of least privilege.