Charles Larry

"Webhook requests are automatically retried up to three times if the endpoint returns certain HTTP response codes. Unlike targets, consecutive failed requests won't deactivate webhooks."

What are the "certain HTTP response codes"?  Is this documented somewhere?

The statement that "using OAuth tokens for authentication doesn't tie the requests to a specific username and password" is true in the sense that anyone in possession of the OAuth token can use it. However, in a way it is tied to a specific user: the user that created it. For example, if user X creates the token and gives it user Y and user Y uses the token to add a comment to a ticket without setting the author_id of the comment to user Y, then the comment by default will be attributed to user X (the creator of the token).  That appears to be the phenomenon encountered by one user as described in his comment: https://support.zendesk.com/hc/en-us/articles/226316187/comments/360001755167