First, simplify it down to just using a webhook without all the extras - standard port, no basic authentication.
Then don’t bother adding a different port or any basic authentication - unless you HAVE to use a different port (why?) and as your webhook can check for a made up API key before processing, you can skip the basic auth - anyone who probes the IP address and by some miracle happens on the page name can get no response if it’s not got the API header and not a properly formatted JSON message.
As for your first question, no, you can’t decide if the webhook gets used, any uplink from your device will get a webhook sent.