Hi @Andrea,
You understand correctly.
Actually, the way to use the authentication object in realm services is not always aligned across services.
It really depends on the services, for example graphql uses the access_token as a bearer header for its http request.
However, webhooks should use a script authentication to use the user_id you got.
If you want a detailed example please let me build one and I will provide it in upcoming days.
Best
Pavel