Are you saying you can't use a publiic endpoint even if it is secured by some kind of auth?
Our webhooks only support basic auth, and unfortunately the cloud functions only use IAM, but this outlines how we recommend you should secure your cloud function if needed:
Otherwise, you can create a middleware app that's hosted anywhere you like, as long as the URL can be called from Assistant with basic auth or whatever other kind of auth you want, maybe passing a secret param, etc.The old way of calling actions via the JSON is not being deprecated, but its also not really being enhanced, using JSON, etc.
Not sure if this helps, but assuming you've turned on the security on your web chat integration, you can use the JWT you provide on the call coming from the browser down stream in the dialog as it is available under $integrations.chat.private.jwt.
I know you've mentioned you don't want to use any authentication, but this can be used as means to authenticate with your client backend. This is probably the most secured mechanism you can achieve as the jwt was originally created by the client!