From 5b6ee17c81add7105f5522ac45981cf9a08894b2 Mon Sep 17 00:00:00 2001
From: Elias Meire <elias@meire.dev>
Date: Mon, 23 Mar 2026 12:48:52 +0100
Subject: [PATCH] feat(core): Add signature validation for waiting webhooks and
 forms (#24159)

Co-authored-by: Michael Kret <88898367+michael-radency@users.noreply.github.com>
---
 .../__tests__/js-task-runner.test.ts          |   4 +-
 .../src/js-task-runner/__tests__/test-data.ts |   1 +
 .../workflow-execute-additional-data.test.ts  |   8 +-
 .../__tests__/test-runner.service.ee.test.ts  |  29 +-
 .../data-request-response-builder.test.ts     |   8 +-
 .../data-request-response-stripper.test.ts    |  17 +
 .../data-request-response-builder.ts          |   1 +
 .../data-request-response-stripper.ts         |   1 +
 .../webhooks/__tests__/waiting-forms.test.ts  | 211 +++++++++++-
 .../__tests__/waiting-webhooks.test.ts        | 316 +++++++++++++-----
 packages/cli/src/webhooks/waiting-forms.ts    |  91 ++---
 packages/cli/src/webhooks/waiting-webhooks.ts | 151 ++++++---
 packages/cli/src/webhooks/webhook-helpers.ts  |   8 +-
 .../workflow-execution.service.test.ts        |  63 ++--
 .../templates/form-invalid-token.handlebars   | 131 ++++++++
 .../form-trigger-completion.handlebars        |  27 +-
 .../cli/templates/form-trigger.handlebars     |  26 +-
 ...-task-runner-execution.integration.test.ts |   5 +-
 .../core/nodes-testing/node-test-harness.ts   |   1 +
 .../__tests__/execution-context.test.ts       |   5 +-
 .../__tests__/routing-node.test.ts            |   5 +-
 ...process-process-run-execution-data.test.ts |   2 +
 .../__tests__/workflow-execute.test.ts        |  85 ++++-
 .../__tests__/execute-context.test.ts         |   6 +-
 .../__tests__/execute-single-context.test.ts  |   6 +-
 .../__tests__/node-execution-context.test.ts  |  33 +-
 .../__tests__/supply-data-context.test.ts     |  14 +-
 .../node-execution-context.ts                 |  17 +-
 .../__tests__/get-additional-keys.test.ts     |  34 +-
 .../utils/get-additional-keys.ts              |  17 +-
 .../src/execution-engine/workflow-execute.ts  |   2 +
 .../utils/__tests__/signature-helpers.test.ts |  26 --
 packages/core/src/utils/signature-helpers.ts  |  38 ++-
 packages/core/test/helpers/index.ts           |   2 +
 .../src/app/stores/workflows.store.test.ts    | 132 +++++++-
 .../src/app/stores/workflows.store.ts         |  17 +-
 .../executions/executions.utils.test.ts       |  48 +++
 .../execution/executions/executions.utils.ts  |  26 +-
 .../logs/components/LogsViewRunData.vue       |   6 +-
 .../ndv/panel/components/InputPanel.vue       |  15 +-
 .../ndv/panel/components/OutputPanel.vue      |   2 +-
 packages/nodes-base/nodes/Form/Form.node.ts   |   5 +
 .../nodes-base/nodes/Github/Github.node.ts    |   3 +
 packages/nodes-base/nodes/Wait/Wait.node.ts   |  27 +-
 .../nodes-base/utils/sendAndWait/utils.ts     |   1 -
 .../testing/playwright/pages/CanvasPage.ts    |   3 +
 .../tests/e2e/api/wait-form-resume.spec.ts    |  96 ++++++
 .../e2e/api/waiting-endpoint-security.spec.ts | 142 ++++++++
 .../tests/e2e/nodes/send-and-wait.spec.ts     | 270 +++++++++++++++
 .../editor/subworkflows/wait.spec.ts          |  44 ++-
 .../workflows/send-and-wait-approval.json     | 126 +++++++
 .../workflows/send-and-wait-form.json         | 130 +++++++
 .../workflows/wait-form-resume.json           | 124 +++++++
 .../workflows/wait-webhook-resume.json        | 115 +++++++
 packages/workflow/src/index.ts                |   1 +
 packages/workflow/src/interfaces.ts           |  14 +-
 .../src/run-execution-data-factory.ts         |  54 +--
 .../run-execution-data.v0.ts                  |   6 +-
 .../run-execution-data.v1.ts                  |   6 +-
 packages/workflow/src/utils.ts                |   7 +
 .../test/run-execution-data-factory.test.ts   |   6 +-
 .../run-execution-data.test.ts                |   4 +-
 62 files changed, 2408 insertions(+), 413 deletions(-)
 create mode 100644 packages/cli/templates/form-invalid-token.handlebars
 delete mode 100644 packages/core/src/utils/__tests__/signature-helpers.test.ts
 create mode 100644 packages/testing/playwright/tests/e2e/api/wait-form-resume.spec.ts
 create mode 100644 packages/testing/playwright/tests/e2e/api/waiting-endpoint-security.spec.ts
 create mode 100644 packages/testing/playwright/tests/e2e/nodes/send-and-wait.spec.ts
 create mode 100644 packages/testing/playwright/workflows/send-and-wait-approval.json
 create mode 100644 packages/testing/playwright/workflows/send-and-wait-form.json
 create mode 100644 packages/testing/playwright/workflows/wait-form-resume.json
 create mode 100644 packages/testing/playwright/workflows/wait-webhook-resume.json

diff --git a/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts b/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts
index 4eebc11d0ae..20595802171 100644
--- a/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts
+++ b/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts
@@ -388,8 +388,8 @@ describe('JsTaskRunner', () => {
 					{
 						id: 'exec-id',
 						mode: 'test',
-						resumeFormUrl: 'http://formWaitingBaseUrl/exec-id',
-						resumeUrl: 'http://webhookWaitingBaseUrl/exec-id',
+						resumeFormUrl: 'http://formwaitingbaseurl/exec-id?signature=test-resume-token',
+						resumeUrl: 'http://webhookwaitingbaseurl/exec-id?signature=test-resume-token',
 						customData: {
 							get: expect.any(Function),
 							getAll: expect.any(Function),
diff --git a/packages/@n8n/task-runner/src/js-task-runner/__tests__/test-data.ts b/packages/@n8n/task-runner/src/js-task-runner/__tests__/test-data.ts
index 814db39ce29..fa75b19925e 100644
--- a/packages/@n8n/task-runner/src/js-task-runner/__tests__/test-data.ts
+++ b/packages/@n8n/task-runner/src/js-task-runner/__tests__/test-data.ts
@@ -90,6 +90,7 @@ export const newDataRequestResponse = (
 		},
 		node: codeNode,
 		runExecutionData: createRunExecutionData({
+			resumeToken: 'test-resume-token',
 			resultData: {
 				runData: {
 					[manualTriggerNode.name]: [
diff --git a/packages/cli/src/__tests__/workflow-execute-additional-data.test.ts b/packages/cli/src/__tests__/workflow-execute-additional-data.test.ts
index 86622bb0dbc..a79b629e357 100644
--- a/packages/cli/src/__tests__/workflow-execute-additional-data.test.ts
+++ b/packages/cli/src/__tests__/workflow-execute-additional-data.test.ts
@@ -352,8 +352,10 @@ describe('WorkflowExecuteAdditionalData', () => {
 		});
 
 		it('should return default data', () => {
-			expect(getRunData(workflow)).toEqual({
+			const result = getRunData(workflow);
+			expect(result).toEqual({
 				executionData: createRunExecutionData({
+					resumeToken: result.executionData?.resumeToken,
 					executionData: {
 						contextData: {},
 						metadata: {},
@@ -388,8 +390,10 @@ describe('WorkflowExecuteAdditionalData', () => {
 				executionId: '123',
 				workflowId: '567',
 			};
-			expect(getRunData(workflow, data, parentExecution)).toEqual({
+			const result = getRunData(workflow, data, parentExecution);
+			expect(result).toEqual({
 				executionData: createRunExecutionData({
+					resumeToken: result.executionData?.resumeToken,
 					executionData: {
 						contextData: {},
 						metadata: {},
diff --git a/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts b/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts
index 5e72e34679f..a2783bb5cfa 100644
--- a/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts
+++ b/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts
@@ -890,21 +890,24 @@ describe('TestRunnerService', () => {
 						triggerToStartFrom: {
 							name: triggerNodeName,
 						},
-						executionData: createRunExecutionData({
-							executionData: null,
-							resultData: {
-								pinData: {
-									[triggerNodeName]: [testCase],
+						executionData: {
+							...createRunExecutionData({
+								executionData: null,
+								resultData: {
+									pinData: {
+										[triggerNodeName]: [testCase],
+									},
+									runData: {},
 								},
-								runData: {},
-							},
-							manualData: {
-								userId: metadata.userId,
-								triggerToStartFrom: {
-									name: triggerNodeName,
+								manualData: {
+									userId: metadata.userId,
+									triggerToStartFrom: {
+										name: triggerNodeName,
+									},
 								},
-							},
-						}),
+							}),
+							resumeToken: expect.any(String),
+						},
 					}),
 				);
 			});
diff --git a/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-builder.test.ts b/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-builder.test.ts
index 15632cf2c74..dafd558f5a1 100644
--- a/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-builder.test.ts
+++ b/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-builder.test.ts
@@ -59,6 +59,7 @@ const metadata = {
 };
 
 const runExecutionData = mock<IRunExecutionData>({
+	resumeToken: 'test-resume-token-preserved',
 	executionData: {
 		contextData,
 		metadata,
@@ -128,8 +129,8 @@ describe('DataRequestResponseBuilder', () => {
 	it('clears nodeExecutionStack, waitingExecution and waitingExecutionSource from runExecutionData', () => {
 		const result = builder.buildFromTaskData(taskData);
 
-		expect(result.runExecutionData).toStrictEqual(
-			createRunExecutionData({
+		expect(result.runExecutionData).toStrictEqual({
+			...createRunExecutionData({
 				startData: runExecutionData.startData,
 				resultData: runExecutionData.resultData,
 				executionData: {
@@ -140,6 +141,7 @@ describe('DataRequestResponseBuilder', () => {
 					waitingExecutionSource: null,
 				},
 			}),
-		);
+			resumeToken: 'test-resume-token-preserved',
+		});
 	});
 });
diff --git a/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-stripper.test.ts b/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-stripper.test.ts
index 739f5e7e543..6b8e9e99950 100644
--- a/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-stripper.test.ts
+++ b/packages/cli/src/task-runners/task-managers/__tests__/data-request-response-stripper.test.ts
@@ -190,6 +190,23 @@ describe('DataRequestResponseStripper', () => {
 		});
 	});
 
+	describe('resumeToken', () => {
+		it('should preserve resumeToken when all data is requested', () => {
+			const result = new DataRequestResponseStripper(taskData, allDataParam).strip();
+
+			expect(result.runExecutionData.resumeToken).toBe(taskData.runExecutionData.resumeToken);
+		});
+
+		it('should preserve resumeToken when stripping with partial dataOfNodes', () => {
+			const result = new DataRequestResponseStripper(
+				taskData,
+				newRequestParam({ dataOfNodes: [codeNode.name], prevNode: false }),
+			).strip();
+
+			expect(result.runExecutionData.resumeToken).toBe(taskData.runExecutionData.resumeToken);
+		});
+	});
+
 	describe('envProviderState', () => {
 		it("should filter out envProviderState when it's not requested", () => {
 			const dataRequestResponseBuilder = new DataRequestResponseStripper(
diff --git a/packages/cli/src/task-runners/task-managers/data-request-response-builder.ts b/packages/cli/src/task-runners/task-managers/data-request-response-builder.ts
index eccd2fd3202..385d87aea61 100644
--- a/packages/cli/src/task-runners/task-managers/data-request-response-builder.ts
+++ b/packages/cli/src/task-runners/task-managers/data-request-response-builder.ts
@@ -82,6 +82,7 @@ export class DataRequestResponseBuilder {
 						waitingExecutionSource: null,
 					}
 				: undefined,
+			resumeToken: runExecutionData.resumeToken,
 		});
 	}
 }
diff --git a/packages/cli/src/task-runners/task-managers/data-request-response-stripper.ts b/packages/cli/src/task-runners/task-managers/data-request-response-stripper.ts
index 38f438bb5c9..81efe65f4d6 100644
--- a/packages/cli/src/task-runners/task-managers/data-request-response-stripper.ts
+++ b/packages/cli/src/task-runners/task-managers/data-request-response-stripper.ts
@@ -57,6 +57,7 @@ export class DataRequestResponseStripper {
 			// TODO: We could send `runExecutionData.contextData` only if requested,
 			// since it's only needed if $input.context or $("node").context is used.
 			executionData: runExecutionData.executionData,
+			resumeToken: runExecutionData.resumeToken,
 		});
 	}
 
diff --git a/packages/cli/src/webhooks/__tests__/waiting-forms.test.ts b/packages/cli/src/webhooks/__tests__/waiting-forms.test.ts
index d71d2fb33aa..fe48bb11e6d 100644
--- a/packages/cli/src/webhooks/__tests__/waiting-forms.test.ts
+++ b/packages/cli/src/webhooks/__tests__/waiting-forms.test.ts
@@ -1,22 +1,42 @@
 import type { IExecutionResponse, ExecutionRepository } from '@n8n/db';
 import type express from 'express';
 import { mock } from 'jest-mock-extended';
-import { getWebhookSandboxCSP } from 'n8n-core';
-import { FORM_NODE_TYPE, WAITING_FORMS_EXECUTION_STATUS, type Workflow } from 'n8n-workflow';
+import type { InstanceSettings } from 'n8n-core';
+import { getWebhookSandboxCSP, WAITING_TOKEN_QUERY_PARAM } from 'n8n-core';
+import {
+	FORM_NODE_TYPE,
+	WAITING_FORMS_EXECUTION_STATUS,
+	type IWorkflowBase,
+	type Workflow,
+} from 'n8n-workflow';
 
 import type { WaitingWebhookRequest } from '../webhook.types';
 
 import { WaitingForms } from '@/webhooks/waiting-forms';
 
 class TestWaitingForms extends WaitingForms {
-	exposeGetWorkflow(execution: IExecutionResponse): Workflow {
-		return this.getWorkflow(execution);
+	exposeCreateWorkflow(workflowData: IWorkflowBase): Workflow {
+		return this.createWorkflow(workflowData);
+	}
+
+	exposeValidateToken(
+		req: express.Request,
+		execution: IExecutionResponse,
+	): { valid: boolean; webhookPath?: string } {
+		return this.validateToken(req, execution);
 	}
 }
 
 describe('WaitingForms', () => {
 	const executionRepository = mock<ExecutionRepository>();
-	const waitingForms = new TestWaitingForms(mock(), mock(), executionRepository, mock(), mock());
+	const mockInstanceSettings = mock<InstanceSettings>();
+	const waitingForms = new TestWaitingForms(
+		mock(),
+		mock(),
+		executionRepository,
+		mock(),
+		mockInstanceSettings,
+	);
 
 	beforeEach(() => {
 		jest.restoreAllMocks();
@@ -302,6 +322,7 @@ describe('WaitingForms', () => {
 						runData: {},
 						error: undefined,
 					},
+					resumeToken: undefined, // Old execution without token - skip validation
 				},
 				workflowData: {
 					id: 'workflow1',
@@ -328,11 +349,12 @@ describe('WaitingForms', () => {
 			executionRepository.findSingleExecution.mockResolvedValue(execution);
 
 			const req = mock<WaitingWebhookRequest>({
-				headers: { origin: 'null' },
+				headers: { origin: 'null', host: 'localhost:5678' },
 				params: {
 					path: '123',
 					suffix: undefined,
 				},
+				url: '/form-waiting/123',
 			});
 
 			const res = mock<express.Response>();
@@ -362,7 +384,7 @@ describe('WaitingForms', () => {
 				},
 			});
 
-			const workflow = waitingForms.exposeGetWorkflow(execution);
+			const workflow = waitingForms.exposeCreateWorkflow(execution.workflowData);
 
 			expect(workflow.active).toBe(true);
 		});
@@ -384,7 +406,7 @@ describe('WaitingForms', () => {
 				},
 			});
 
-			const workflow = waitingForms.exposeGetWorkflow(execution);
+			const workflow = waitingForms.exposeCreateWorkflow(execution.workflowData);
 
 			expect(workflow.active).toBe(false);
 		});
@@ -406,7 +428,7 @@ describe('WaitingForms', () => {
 				},
 			});
 
-			const workflow = waitingForms.exposeGetWorkflow(execution);
+			const workflow = waitingForms.exposeCreateWorkflow(execution.workflowData);
 
 			expect(workflow.active).toBe(true);
 		});
@@ -428,7 +450,7 @@ describe('WaitingForms', () => {
 				},
 			});
 
-			const workflow = waitingForms.exposeGetWorkflow(execution);
+			const workflow = waitingForms.exposeCreateWorkflow(execution.workflowData);
 
 			expect(workflow.active).toBe(false);
 		});
@@ -445,6 +467,7 @@ describe('WaitingForms', () => {
 						runData: {},
 						error: undefined, // Must be explicitly set to undefined; jest-mock-extended returns a truthy mock if omitted
 					},
+					resumeToken: undefined, // Old execution without token
 				},
 				workflowData: {
 					id: 'workflow1',
@@ -471,11 +494,12 @@ describe('WaitingForms', () => {
 			executionRepository.findSingleExecution.mockResolvedValue(execution);
 
 			const req = mock<WaitingWebhookRequest>({
-				headers: {},
+				headers: { host: 'localhost:5678' },
 				params: {
 					path: '123',
 					suffix: undefined,
 				},
+				url: '/form-waiting/123',
 			});
 
 			const res = mock<express.Response>();
@@ -501,6 +525,7 @@ describe('WaitingForms', () => {
 						runData: {},
 						error: undefined, // Must be explicitly set to undefined; jest-mock-extended returns a truthy mock if omitted
 					},
+					resumeToken: undefined, // Old execution without token
 				},
 				workflowData: {
 					id: 'workflow1',
@@ -527,11 +552,12 @@ describe('WaitingForms', () => {
 			executionRepository.findSingleExecution.mockResolvedValue(execution);
 
 			const req = mock<WaitingWebhookRequest>({
-				headers: {},
+				headers: { host: 'localhost:5678' },
 				params: {
 					path: '123',
 					suffix: undefined,
 				},
+				url: '/form-waiting/123',
 			});
 
 			const res = mock<express.Response>();
@@ -544,4 +570,165 @@ describe('WaitingForms', () => {
 			);
 		});
 	});
+
+	describe('executeWebhook - token validation', () => {
+		it('should return 401 when resumeToken is set but request has no token', async () => {
+			const execution = mock<IExecutionResponse>({
+				finished: false,
+				status: 'waiting',
+				data: {
+					resultData: {
+						lastNodeExecuted: 'FormNode',
+						runData: {},
+						error: undefined,
+					},
+					resumeToken: 'a'.repeat(64),
+				},
+				workflowData: {
+					id: 'workflow1',
+					name: 'Test Workflow',
+					nodes: [],
+					connections: {},
+					active: false,
+					activeVersionId: undefined,
+					settings: {},
+					staticData: {},
+					isArchived: false,
+					createdAt: new Date(),
+					updatedAt: new Date(),
+				},
+			});
+			executionRepository.findSingleExecution.mockResolvedValue(execution);
+
+			const req = mock<WaitingWebhookRequest>({
+				headers: { host: 'localhost:5678' },
+				params: {
+					path: '123',
+					suffix: undefined,
+				},
+				url: '/form-waiting/123', // No token in URL
+			});
+
+			const mockRender = jest.fn();
+			const mockStatus = jest.fn().mockReturnValue({ render: mockRender });
+			const res = mock<express.Response>({
+				status: mockStatus,
+			});
+
+			const result = await waitingForms.executeWebhook(req, res);
+
+			expect(mockStatus).toHaveBeenCalledWith(401);
+			expect(mockRender).toHaveBeenCalledWith('form-invalid-token');
+			expect(result).toEqual({ noWebhookResponse: true });
+		});
+
+		it('should skip token validation when resumeToken is undefined (backwards compat)', async () => {
+			const execution = mock<IExecutionResponse>({
+				finished: true,
+				status: 'success',
+				data: {
+					resultData: {
+						lastNodeExecuted: 'LastNode',
+						runData: {},
+						error: undefined,
+					},
+					resumeToken: undefined, // Must be explicitly set to undefined; jest-mock-extended returns a truthy mock if omitted
+				},
+				workflowData: {
+					id: 'workflow1',
+					name: 'Test Workflow',
+					nodes: [
+						{
+							name: 'LastNode',
+							type: 'other-node-type',
+							typeVersion: 1,
+							position: [0, 0],
+							parameters: {},
+						},
+					],
+					connections: {},
+					active: false,
+					activeVersionId: undefined,
+					settings: {},
+					staticData: {},
+					isArchived: false,
+					createdAt: new Date(),
+					updatedAt: new Date(),
+				},
+			});
+			executionRepository.findSingleExecution.mockResolvedValue(execution);
+
+			const req = mock<WaitingWebhookRequest>({
+				headers: { host: 'localhost:5678' },
+				params: {
+					path: '123',
+					suffix: undefined,
+				},
+				url: '/form-waiting/123', // No token, but validation is skipped
+			});
+
+			const res = mock<express.Response>();
+
+			// Should not throw or return 401 - should proceed to render completion page
+			const result = await waitingForms.executeWebhook(req, res);
+
+			expect(res.setHeader).toHaveBeenCalledWith('Content-Security-Policy', getWebhookSandboxCSP());
+			expect(result).toEqual({ noWebhookResponse: true });
+		});
+	});
+
+	describe('validateToken - backwards compat webhook path extraction', () => {
+		const TEST_TOKEN = 'a'.repeat(64);
+
+		const createMockRequest = (opts: { host?: string; signature?: string; path?: string }) => {
+			const urlPath = opts.path ?? '/form-waiting/123';
+			const fullUrl = opts.signature
+				? `${urlPath}?${WAITING_TOKEN_QUERY_PARAM}=${opts.signature}`
+				: urlPath;
+			return mock<express.Request>({
+				url: fullUrl,
+				headers: { host: opts.host ?? 'localhost:5678' },
+			});
+		};
+
+		const createMockExecution = (token: string) =>
+			mock<IExecutionResponse>({
+				data: { resumeToken: token },
+			});
+
+		it('should extract webhook path from token when appended (backwards compat)', () => {
+			/* Arrange - URL format: ?signature=token/suffix */
+			const tokenWithSuffix = `${TEST_TOKEN}/my-custom-suffix`;
+			const mockReq = createMockRequest({ signature: tokenWithSuffix });
+			const mockExecution = createMockExecution(TEST_TOKEN);
+
+			/* Act */
+			const result = waitingForms.exposeValidateToken(mockReq, mockExecution);
+
+			/* Assert */
+			expect(result).toEqual({ valid: true, webhookPath: 'my-custom-suffix' });
+		});
+
+		it('should handle nested suffix paths in token (backwards compat)', () => {
+			/* Arrange - URL format: ?signature=token/path/to/suffix */
+			const tokenWithNestedSuffix = `${TEST_TOKEN}/path/to/suffix`;
+			const mockReq = createMockRequest({ signature: tokenWithNestedSuffix });
+			const mockExecution = createMockExecution(TEST_TOKEN);
+
+			/* Act */
+			const result = waitingForms.exposeValidateToken(mockReq, mockExecution);
+
+			/* Assert */
+			expect(result).toEqual({ valid: true, webhookPath: 'path/to/suffix' });
+		});
+
+		it('should reject when token does not match', () => {
+			const mockReq = createMockRequest({ signature: 'b'.repeat(64) });
+			const mockExecution = createMockExecution(TEST_TOKEN);
+
+			const result = waitingForms.exposeValidateToken(mockReq, mockExecution);
+
+			expect(result).toEqual({ valid: false, webhookPath: undefined });
+		});
+	});
 });
diff --git a/packages/cli/src/webhooks/__tests__/waiting-webhooks.test.ts b/packages/cli/src/webhooks/__tests__/waiting-webhooks.test.ts
index 472614fb7b6..35075b93d79 100644
--- a/packages/cli/src/webhooks/__tests__/waiting-webhooks.test.ts
+++ b/packages/cli/src/webhooks/__tests__/waiting-webhooks.test.ts
@@ -2,8 +2,9 @@ import type { IExecutionResponse, ExecutionRepository } from '@n8n/db';
 import type express from 'express';
 import { mock } from 'jest-mock-extended';
 import type { InstanceSettings } from 'n8n-core';
-import { generateUrlSignature, prepareUrlForSigning, WAITING_TOKEN_QUERY_PARAM } from 'n8n-core';
+import { WAITING_TOKEN_QUERY_PARAM } from 'n8n-core';
 import type { IWorkflowBase, Workflow } from 'n8n-workflow';
+import { SEND_AND_WAIT_OPERATION } from 'n8n-workflow';
 
 import { ConflictError } from '@/errors/response-errors/conflict.error';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
@@ -17,15 +18,24 @@ class TestWaitingWebhooks extends WaitingWebhooks {
 	exposeCreateWorkflow(workflowData: IWorkflowBase): Workflow {
 		return this.createWorkflow(workflowData);
 	}
+
+	exposeValidateSignature(req: express.Request): { valid: boolean; webhookPath?: string } {
+		return this.validateSignature(req);
+	}
+
+	exposeValidateToken(
+		req: express.Request,
+		execution: IExecutionResponse,
+	): { valid: boolean; webhookPath?: string } {
+		return this.validateToken(req, execution);
+	}
 }
 
 describe('WaitingWebhooks', () => {
-	const SIGNING_SECRET = 'test-secret';
+	const TEST_HMAC_SECRET = 'test-hmac-secret-key';
 	const executionRepository = mock<ExecutionRepository>();
 	const mockWebhookService = mock<WebhookService>();
-	const mockInstanceSettings = mock<InstanceSettings>({
-		hmacSignatureSecret: SIGNING_SECRET,
-	});
+	const mockInstanceSettings = mock<InstanceSettings>({ hmacSignatureSecret: TEST_HMAC_SECRET });
 	const waitingWebhooks = new TestWaitingWebhooks(
 		mock(),
 		mock(),
@@ -110,110 +120,245 @@ describe('WaitingWebhooks', () => {
 		});
 	});
 
-	describe('validateSignatureInRequest', () => {
+	describe('validateSignature', () => {
 		const EXAMPLE_HOST = 'example.com';
-		const generateValidSignature = (host = EXAMPLE_HOST) =>
-			generateUrlSignature(
-				prepareUrlForSigning(new URL('/webhook/test', `http://${host}`)),
-				SIGNING_SECRET,
-			);
 
-		const createMockRequest = (opts: { host?: string; signature: string }) =>
-			mock<express.Request>({
-				url: `/webhook/test?${WAITING_TOKEN_QUERY_PARAM}=` + opts.signature,
-				host: opts.host ?? EXAMPLE_HOST,
-				query: { [WAITING_TOKEN_QUERY_PARAM]: opts.signature },
+		// Helper to generate proper HMAC signature for a URL
+		const generateTestSignature = (urlPath: string) => {
+			const crypto = require('crypto');
+			return crypto.createHmac('sha256', TEST_HMAC_SECRET).update(urlPath).digest('hex');
+		};
+
+		const createMockRequest = (opts: { host?: string; signature?: string; path?: string }) => {
+			const urlPath = opts.path ?? '/webhook/test';
+			const fullUrl = opts.signature
+				? `${urlPath}?${WAITING_TOKEN_QUERY_PARAM}=${opts.signature}`
+				: urlPath;
+			return mock<express.Request>({
+				url: fullUrl,
 				headers: { host: opts.host ?? EXAMPLE_HOST },
 			});
+		};
 
-		it('should validate signature correctly', () => {
+		it('should validate signature correctly when HMAC matches', () => {
 			/* Arrange */
-			const signature = generateValidSignature();
-			const mockReq = createMockRequest({ signature });
+			const urlPath = '/webhook/test';
+			const validSignature = generateTestSignature(urlPath);
+			const mockReq = createMockRequest({ signature: validSignature, path: urlPath });
 
 			/* Act */
-			const result = waitingWebhooks.validateSignatureInRequest(mockReq);
+			const result = waitingWebhooks.exposeValidateSignature(mockReq);
 
 			/* Assert */
-			expect(result).toBe(true);
-		});
-
-		it('should validate signature correctly when host contains a port', () => {
-			/* Arrange */
-			const signature = generateValidSignature('example.com:8080');
-			const mockReq = createMockRequest({
-				signature,
-				host: 'example.com:8080',
-			});
-
-			/* Act */
-			const result = waitingWebhooks.validateSignatureInRequest(mockReq);
-
-			/* Assert */
-			expect(result).toBe(true);
-		});
-
-		it('should validate signature correctly when n8n is behind a reverse proxy', () => {
-			/* Arrange */
-			const signature = generateValidSignature('proxy.example.com');
-			const mockReq = mock<express.Request>({
-				url: `/webhook/test?${WAITING_TOKEN_QUERY_PARAM}=` + signature,
-				host: 'proxy.example.com',
-				query: { [WAITING_TOKEN_QUERY_PARAM]: signature },
-				headers: {
-					host: 'localhost',
-					// eslint-disable-next-line @typescript-eslint/naming-convention
-					'x-forwarded-host': 'proxy.example.com',
-				},
-			});
-
-			/* Act */
-			const result = waitingWebhooks.validateSignatureInRequest(mockReq);
-
-			/* Assert */
-			expect(result).toBe(true);
+			expect(result).toEqual({ valid: true, webhookPath: undefined });
 		});
 
 		it('should return false when signature is missing', () => {
 			/* Arrange */
-			const mockReq = mock<express.Request>({
-				url: '/webhook/test',
-				hostname: 'example.com',
-				query: {},
-			});
+			const mockReq = createMockRequest({});
 
 			/* Act */
-			const result = waitingWebhooks.validateSignatureInRequest(mockReq);
+			const result = waitingWebhooks.exposeValidateSignature(mockReq);
 
 			/* Assert */
-			expect(result).toBe(false);
+			expect(result).toEqual({ valid: false });
 		});
 
-		it('should return false when signature is empty', () => {
+		it('should return false when signature is invalid', () => {
 			/* Arrange */
-			const mockReq = mock<express.Request>({
-				url: `/webhook/test?${WAITING_TOKEN_QUERY_PARAM}=`,
-				hostname: 'example.com',
-				query: { [WAITING_TOKEN_QUERY_PARAM]: '' },
-			});
-
-			/* Act */
-			const result = waitingWebhooks.validateSignatureInRequest(mockReq);
-
-			/* Assert */
-			expect(result).toBe(false);
-		});
-
-		it('should return false when signatures do not match', () => {
-			/* Arrange */
-			const wrongSignature = 'wrong-signature';
+			const wrongSignature = 'b'.repeat(64);
 			const mockReq = createMockRequest({ signature: wrongSignature });
 
 			/* Act */
-			const result = waitingWebhooks.validateSignatureInRequest(mockReq);
+			const result = waitingWebhooks.exposeValidateSignature(mockReq);
 
 			/* Assert */
-			expect(result).toBe(false);
+			expect(result).toEqual({ valid: false, webhookPath: undefined });
+		});
+
+		it('should return false when signature length is wrong', () => {
+			/* Arrange */
+			const shortSignature = 'abc123';
+			const mockReq = createMockRequest({ signature: shortSignature });
+
+			/* Act */
+			const result = waitingWebhooks.exposeValidateSignature(mockReq);
+
+			/* Assert */
+			expect(result).toEqual({ valid: false, webhookPath: undefined });
+		});
+
+		it('should extract suffix from signature when appended (backwards compat)', () => {
+			/* Arrange - URL format: ?signature=hmac/suffix */
+			const urlPath = '/webhook/test';
+			const validSignature = generateTestSignature(urlPath);
+			const signatureWithSuffix = `${validSignature}/my-suffix`;
+			const mockReq = createMockRequest({ signature: signatureWithSuffix, path: urlPath });
+
+			/* Act */
+			const result = waitingWebhooks.exposeValidateSignature(mockReq);
+
+			/* Assert */
+			expect(result).toEqual({ valid: true, webhookPath: 'my-suffix' });
+		});
+
+		it('should handle nested suffix paths (backwards compat)', () => {
+			/* Arrange - URL format: ?signature=hmac/path/to/suffix */
+			const urlPath = '/webhook/test';
+			const validSignature = generateTestSignature(urlPath);
+			const signatureWithNestedSuffix = `${validSignature}/path/to/suffix`;
+			const mockReq = createMockRequest({ signature: signatureWithNestedSuffix, path: urlPath });
+
+			/* Act */
+			const result = waitingWebhooks.exposeValidateSignature(mockReq);
+
+			/* Assert */
+			expect(result).toEqual({ valid: true, webhookPath: 'path/to/suffix' });
+		});
+
+		it('should validate signature correctly when nodeId suffix is part of signed URL (send-and-wait)', () => {
+			/* Arrange - Send-and-wait URLs include nodeId in the signed path along with query params.
+			 * The signature is computed from pathname + query params (excluding signature itself). */
+			const nodeId = '3a3e4b33-52d1-41f9-9c69-2829030062ff';
+			const pathWithNodeId = `/webhook-waiting/123/${nodeId}`;
+			const pathWithParams = `${pathWithNodeId}?approved=true`;
+			// Signature generated for full path including nodeId and query params
+			const validSignature = generateTestSignature(pathWithParams);
+			// Construct URL with both approved and signature params
+			const fullUrl = `${pathWithNodeId}?approved=true&${WAITING_TOKEN_QUERY_PARAM}=${validSignature}`;
+			const mockReq = mock<express.Request>({
+				url: fullUrl,
+				headers: { host: EXAMPLE_HOST },
+			});
+
+			/* Act - Don't pass suffix because nodeId is part of signed URL */
+			const result = waitingWebhooks.exposeValidateSignature(mockReq);
+
+			/* Assert */
+			expect(result).toEqual({ valid: true, webhookPath: undefined });
+		});
+	});
+
+	describe('executeWebhook - signature validation', () => {
+		it('should return 401 with HTML for send-and-wait requests with invalid signature', async () => {
+			/* Arrange */
+			const nodeId = 'send-and-wait-node-id';
+			const execution = mock<IExecutionResponse>({
+				finished: false,
+				status: 'waiting',
+				data: {
+					resultData: {
+						lastNodeExecuted: 'SendAndWaitNode',
+						runData: {},
+						error: undefined,
+					},
+					resumeToken: 'a'.repeat(64),
+				},
+				workflowData: {
+					id: 'workflow1',
+					name: 'Test Workflow',
+					nodes: [
+						{
+							id: nodeId,
+							name: 'SendAndWaitNode',
+							type: 'n8n-nodes-base.sendAndWait',
+							parameters: { operation: SEND_AND_WAIT_OPERATION },
+							typeVersion: 1,
+							position: [0, 0],
+						},
+					],
+					connections: {},
+					active: false,
+					settings: {},
+					staticData: {},
+				},
+			});
+			executionRepository.findSingleExecution.mockResolvedValue(execution);
+
+			const mockStatus = jest.fn().mockReturnThis();
+			const mockRender = jest.fn();
+			const mockJson = jest.fn();
+			const res = mock<express.Response>({
+				status: mockStatus,
+				render: mockRender,
+				json: mockJson,
+			});
+			// Request has wrong signature
+			const req = mock<WaitingWebhookRequest>({
+				params: { path: 'execution-id', suffix: nodeId },
+				method: 'GET',
+				url: `/webhook/execution-id/${nodeId}?${WAITING_TOKEN_QUERY_PARAM}=wrong-signature`,
+				headers: { host: 'example.com' },
+			});
+
+			/* Act */
+			const result = await waitingWebhooks.executeWebhook(req, res);
+
+			/* Assert */
+			expect(mockStatus).toHaveBeenCalledWith(401);
+			expect(mockRender).toHaveBeenCalledWith('form-invalid-token');
+			expect(mockJson).not.toHaveBeenCalled();
+			expect(result).toEqual({ noWebhookResponse: true });
+		});
+
+		it('should return 401 with JSON for non-send-and-wait requests with invalid token', async () => {
+			/* Arrange */
+			const execution = mock<IExecutionResponse>({
+				finished: false,
+				status: 'waiting',
+				data: {
+					resultData: {
+						lastNodeExecuted: 'WaitNode',
+						runData: {},
+						error: undefined,
+					},
+					resumeToken: 'a'.repeat(64),
+				},
+				workflowData: {
+					id: 'workflow1',
+					name: 'Test Workflow',
+					nodes: [
+						{
+							id: 'wait-node-id',
+							name: 'WaitNode',
+							type: 'n8n-nodes-base.wait',
+							parameters: { operation: 'webhook' },
+							typeVersion: 1,
+							position: [0, 0],
+						},
+					],
+					connections: {},
+					active: false,
+					settings: {},
+					staticData: {},
+				},
+			});
+			executionRepository.findSingleExecution.mockResolvedValue(execution);
+
+			const mockStatus = jest.fn().mockReturnThis();
+			const mockRender = jest.fn();
+			const mockJson = jest.fn();
+			const res = mock<express.Response>({
+				status: mockStatus,
+				render: mockRender,
+				json: mockJson,
+			});
+			// Request has wrong signature
+			const req = mock<WaitingWebhookRequest>({
+				params: { path: 'execution-id', suffix: 'wait-node-id' },
+				method: 'GET',
+				url: `/webhook/execution-id/wait-node-id?${WAITING_TOKEN_QUERY_PARAM}=wrong-signature`,
+				headers: { host: 'example.com' },
+			});
+
+			/* Act */
+			const result = await waitingWebhooks.executeWebhook(req, res);
+
+			/* Assert */
+			expect(mockStatus).toHaveBeenCalledWith(401);
+			expect(mockJson).toHaveBeenCalledWith({ error: 'Invalid token' });
+			expect(mockRender).not.toHaveBeenCalled();
+			expect(result).toEqual({ noWebhookResponse: true });
 		});
 	});
 
@@ -371,6 +516,7 @@ describe('WaitingWebhooks', () => {
 
 			// Explicitly set error to undefined to avoid mock function
 			mockExecution.data.resultData.error = undefined;
+			mockExecution.data.resumeToken = undefined;
 
 			executionRepository.findSingleExecution.mockResolvedValue(mockExecution);
 
@@ -500,6 +646,7 @@ describe('WaitingWebhooks', () => {
 
 			// Explicitly set error to undefined to avoid mock function
 			mockExecution.data.resultData.error = undefined;
+			mockExecution.data.resumeToken = undefined;
 
 			executionRepository.findSingleExecution.mockResolvedValue(mockExecution);
 
@@ -636,6 +783,7 @@ describe('WaitingWebhooks', () => {
 
 			// Explicitly set error to undefined to avoid mock function
 			mockExecution.data.resultData.error = undefined;
+			mockExecution.data.resumeToken = undefined;
 
 			executionRepository.findSingleExecution.mockResolvedValue(mockExecution);
 
@@ -772,6 +920,7 @@ describe('WaitingWebhooks', () => {
 
 			// Explicitly set error to undefined to avoid mock function
 			mockExecution.data.resultData.error = undefined;
+			mockExecution.data.resumeToken = undefined;
 
 			executionRepository.findSingleExecution.mockResolvedValue(mockExecution);
 
@@ -903,6 +1052,7 @@ describe('WaitingWebhooks', () => {
 
 			// Explicitly set error to undefined to avoid mock function
 			mockExecution.data.resultData.error = undefined;
+			mockExecution.data.resumeToken = undefined;
 
 			executionRepository.findSingleExecution.mockResolvedValue(mockExecution);
 
diff --git a/packages/cli/src/webhooks/waiting-forms.ts b/packages/cli/src/webhooks/waiting-forms.ts
index b3c66060e92..ad33cf770c0 100644
--- a/packages/cli/src/webhooks/waiting-forms.ts
+++ b/packages/cli/src/webhooks/waiting-forms.ts
@@ -11,7 +11,6 @@ import {
 } from 'n8n-workflow';
 
 import { ConflictError } from '@/errors/response-errors/conflict.error';
-import { getWorkflowActiveStatusFromWorkflowData } from '@/executions/execution.utils';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
 import { WaitingWebhooks } from '@/webhooks/waiting-webhooks';
 
@@ -33,20 +32,6 @@ export class WaitingForms extends WaitingWebhooks {
 		}
 	}
 
-	protected getWorkflow(execution: IExecutionResponse) {
-		const { workflowData } = execution;
-		return new Workflow({
-			id: workflowData.id,
-			name: workflowData.name,
-			nodes: workflowData.nodes,
-			connections: workflowData.connections,
-			active: getWorkflowActiveStatusFromWorkflowData(workflowData),
-			nodeTypes: this.nodeTypes,
-			staticData: workflowData.staticData,
-			settings: workflowData.settings,
-		});
-	}
-
 	findCompletionPage(workflow: Workflow, runData: IRunData, lastNodeExecuted: string) {
 		const parentNodes = workflow.getParentNodes(lastNodeExecuted);
 		const lastNode = workflow.nodes[lastNodeExecuted];
@@ -74,7 +59,7 @@ export class WaitingForms extends WaitingWebhooks {
 		req: WaitingWebhookRequest,
 		res: express.Response,
 	): Promise<IWebhookResponseCallbackData> {
-		const { path: executionId, suffix } = req.params;
+		const { path: executionId, suffix: routeSuffix } = req.params;
 
 		this.logReceivedWebhook(req.method, executionId);
 
@@ -85,25 +70,22 @@ export class WaitingForms extends WaitingWebhooks {
 
 		const execution = await this.getExecution(executionId);
 
-		if (suffix === WAITING_FORMS_EXECUTION_STATUS) {
-			let status: string = execution?.status ?? 'null';
-			const { node } = execution?.data.executionData?.nodeExecutionStack[0] ?? {};
-
-			if (node && status === 'waiting') {
-				if (node.type === FORM_NODE_TYPE) {
-					status = 'form-waiting';
-				}
-				if (node.type === WAIT_NODE_TYPE && node.parameters.resume === 'form') {
-					status = 'form-waiting';
-				}
+		// Validate token for forms (backwards compat: skip for old executions without resumeToken)
+		let webhookPath: string | undefined;
+		if (execution?.data.resumeToken) {
+			const result = this.validateToken(req, execution);
+			if (!result.valid) {
+				res.status(401).render('form-invalid-token');
+				return { noWebhookResponse: true };
 			}
-
-			applyCors(req, res);
-
-			res.send(status);
-			return { noWebhookResponse: true };
+			webhookPath = result.webhookPath;
 		}
 
+		const suffix = routeSuffix ?? webhookPath;
+
+		const statusResult = this.handleStatusRequest(execution, suffix, req, res);
+		if (statusResult) return statusResult;
+
 		if (!execution) {
 			throw new NotFoundError(`The execution "${executionId}" does not exist.`);
 		}
@@ -121,10 +103,7 @@ export class WaitingForms extends WaitingWebhooks {
 		let lastNodeExecuted = execution.data.resultData.lastNodeExecuted as string;
 
 		if (execution.finished) {
-			// find the completion page to render
-			// if there is no completion page, render the default page
-			const workflow = this.getWorkflow(execution);
-
+			const workflow = this.createWorkflow(execution.workflowData);
 			const completionPage = this.findCompletionPage(
 				workflow,
 				execution.data.resultData.runData,
@@ -138,13 +117,10 @@ export class WaitingForms extends WaitingWebhooks {
 					message: 'Your response has been recorded',
 					formTitle: 'Form Submitted',
 				});
-
-				return {
-					noWebhookResponse: true,
-				};
-			} else {
-				lastNodeExecuted = completionPage;
+				return { noWebhookResponse: true };
 			}
+
+			lastNodeExecuted = completionPage;
 		}
 
 		applyCors(req, res);
@@ -158,4 +134,35 @@ export class WaitingForms extends WaitingWebhooks {
 			suffix,
 		});
 	}
+
+	/**
+	 * Checks if the request is a form execution status poll and, if so,
+	 * responds with the current execution status (e.g. 'waiting', 'form-waiting')
+	 * and signals that no further webhook response is needed.
+	 * Returns `undefined` for non-status requests so normal webhook handling continues.
+	 */
+	private handleStatusRequest(
+		execution: IExecutionResponse | undefined,
+		suffix: string | undefined,
+		req: WaitingWebhookRequest,
+		res: express.Response,
+	): IWebhookResponseCallbackData | undefined {
+		if (suffix !== WAITING_FORMS_EXECUTION_STATUS) return undefined;
+
+		let status: string = execution?.status ?? 'null';
+		const { node } = execution?.data.executionData?.nodeExecutionStack[0] ?? {};
+
+		if (node && status === 'waiting') {
+			if (node.type === FORM_NODE_TYPE) {
+				status = 'form-waiting';
+			}
+			if (node.type === WAIT_NODE_TYPE && node.parameters.resume === 'form') {
+				status = 'form-waiting';
+			}
+		}
+
+		applyCors(req, res);
+		res.send(status);
+		return { noWebhookResponse: true };
+	}
 }
diff --git a/packages/cli/src/webhooks/waiting-webhooks.ts b/packages/cli/src/webhooks/waiting-webhooks.ts
index 4734a451168..568645ae792 100644
--- a/packages/cli/src/webhooks/waiting-webhooks.ts
+++ b/packages/cli/src/webhooks/waiting-webhooks.ts
@@ -2,29 +2,22 @@ import { Logger } from '@n8n/backend-common';
 import type { IExecutionResponse } from '@n8n/db';
 import { ExecutionRepository } from '@n8n/db';
 import { Service } from '@n8n/di';
-import crypto from 'crypto';
+import { timingSafeEqual } from 'crypto';
 import type express from 'express';
+import { InstanceSettings, WAITING_TOKEN_QUERY_PARAM, validateUrlSignature } from 'n8n-core';
 import {
-	InstanceSettings,
-	WAITING_TOKEN_QUERY_PARAM,
-	prepareUrlForSigning,
-	generateUrlSignature,
-} from 'n8n-core';
-import {
-	FORM_NODE_TYPE,
 	type INodes,
 	type IWorkflowBase,
 	NodeConnectionTypes,
 	SEND_AND_WAIT_OPERATION,
-	WAIT_NODE_TYPE,
 	Workflow,
 } from 'n8n-workflow';
 
 import { sanitizeWebhookRequest } from './webhook-request-sanitizer';
 import { WebhookService } from './webhook.service';
 import type {
-	IWebhookResponseCallbackData,
 	IWebhookManager,
+	IWebhookResponseCallbackData,
 	WaitingWebhookRequest,
 } from './webhook.types';
 
@@ -51,7 +44,7 @@ export class WaitingWebhooks implements IWebhookManager {
 		protected readonly nodeTypes: NodeTypes,
 		private readonly executionRepository: ExecutionRepository,
 		private readonly webhookService: WebhookService,
-		private readonly instanceSettings: InstanceSettings,
+		protected readonly instanceSettings: InstanceSettings,
 	) {}
 
 	// TODO: implement `getWebhookMethods` for CORS support
@@ -103,36 +96,84 @@ export class WaitingWebhooks implements IWebhookManager {
 		});
 	}
 
-	validateSignatureInRequest(req: express.Request) {
-		try {
-			const actualToken = req.query[WAITING_TOKEN_QUERY_PARAM];
+	/**
+	 * Extracts the `signature` query param and an optional webhook path
+	 * appended after it (backwards compat: `?signature=token/my-suffix`).
+	 */
+	private parseSignatureParam(req: express.Request): {
+		token: string | undefined;
+		webhookPath: string | undefined;
+	} {
+		const url = new URL(req.url, `http://${req.headers.host ?? 'localhost'}`);
+		let token = url.searchParams.get(WAITING_TOKEN_QUERY_PARAM) ?? undefined;
+		let webhookPath: string | undefined;
 
-			if (typeof actualToken !== 'string') return false;
-
-			// req.host is set correctly even when n8n is behind a reverse proxy
-			// as long as N8N_PROXY_HOPS is set correctly
-			const parsedUrl = new URL(req.url, `http://${req.host}`);
-			parsedUrl.searchParams.delete(WAITING_TOKEN_QUERY_PARAM);
-
-			const urlForSigning = prepareUrlForSigning(parsedUrl);
-
-			const expectedToken = generateUrlSignature(
-				urlForSigning,
-				this.instanceSettings.hmacSignatureSecret,
-			);
-
-			const valid = crypto.timingSafeEqual(Buffer.from(actualToken), Buffer.from(expectedToken));
-			return valid;
-		} catch (error) {
-			return false;
+		// Handle backwards compat: extract webhook path if appended after the token
+		// e.g., ?signature=abc123/my-suffix -> token is "abc123", webhookPath is "my-suffix"
+		if (token?.includes('/')) {
+			const slashIndex = token.indexOf('/');
+			webhookPath = token.slice(slashIndex + 1);
+			token = token.slice(0, slashIndex);
 		}
+
+		return { token, webhookPath };
+	}
+
+	/**
+	 * Validates the request by comparing the provided token against the stored
+	 * `resumeToken` using timing-safe comparison.
+	 *
+	 * Used for form and webhook waiting URLs, where the token is an opaque
+	 * random value (no query params to tamper-proof).
+	 */
+	protected validateToken(
+		req: express.Request,
+		execution: IExecutionResponse,
+	): { valid: boolean; webhookPath?: string } {
+		const { token, webhookPath } = this.parseSignatureParam(req);
+		const storedToken = execution.data.resumeToken;
+
+		if (!token || !storedToken || token.length !== storedToken.length) {
+			return { valid: false };
+		}
+
+		const valid = timingSafeEqual(Buffer.from(token), Buffer.from(storedToken));
+		return { valid, webhookPath };
+	}
+
+	/**
+	 * Validates the HMAC signature in the request URL.
+	 *
+	 * Used exclusively for send-and-wait URLs, where query params like
+	 * `approved=true` must be tamper-proof.
+	 */
+	protected validateSignature(req: express.Request): { valid: boolean; webhookPath?: string } {
+		const url = new URL(req.url, `http://${req.headers.host ?? 'localhost'}`);
+		const { token: providedSignature, webhookPath } = this.parseSignatureParam(req);
+
+		if (!providedSignature) {
+			return { valid: false };
+		}
+
+		// Restore the cleaned signature on the URL (without any appended webhook path)
+		// so that `validateUrlSignature` can re-derive the expected HMAC from the full
+		// URL including the node-id suffix and action params (e.g. approved=true).
+		url.searchParams.set(WAITING_TOKEN_QUERY_PARAM, providedSignature);
+
+		const valid = validateUrlSignature(
+			providedSignature,
+			url,
+			this.instanceSettings.hmacSignatureSecret,
+		);
+		return { valid, webhookPath };
 	}
 
 	async executeWebhook(
 		req: WaitingWebhookRequest,
 		res: express.Response,
 	): Promise<IWebhookResponseCallbackData> {
-		const { path: executionId, suffix } = req.params;
+		const { path: executionId } = req.params;
+		let { suffix } = req.params;
 
 		this.logReceivedWebhook(req.method, executionId);
 
@@ -143,15 +184,31 @@ export class WaitingWebhooks implements IWebhookManager {
 
 		const execution = await this.getExecution(executionId);
 
-		if (execution?.data.validateSignature) {
-			const lastNodeExecuted = execution.data.resultData.lastNodeExecuted as string;
-			const lastNode = execution.workflowData.nodes.find((node) => node.name === lastNodeExecuted);
-			const shouldValidate = lastNode?.parameters.operation === SEND_AND_WAIT_OPERATION;
+		// Only validate for executions that have a resumeToken.
+		// Old executions created before token validation are skipped (backwards compat).
+		if (execution?.data.resumeToken) {
+			const { workflowData } = execution;
+			const { nodes } = this.createWorkflow(workflowData);
+			const isSendAndWait = this.isSendAndWaitRequest(nodes, suffix);
 
-			if (shouldValidate && !this.validateSignatureInRequest(req)) {
-				res.status(401).json({ error: 'Invalid token' });
+			// Send-and-wait uses HMAC to protect tamper-sensitive query params (e.g. approved=true).
+			// All other waiting URLs use a simple random token comparison.
+			const { valid, webhookPath } = isSendAndWait
+				? this.validateSignature(req)
+				: this.validateToken(req, execution);
+
+			if (!valid) {
+				if (isSendAndWait) {
+					res.status(401).render('form-invalid-token');
+				} else {
+					res.status(401).json({ error: 'Invalid token' });
+				}
 				return { noWebhookResponse: true };
 			}
+			// Use webhook path parsed from token if not in route (backwards compat for old URL format)
+			if (!suffix && webhookPath) {
+				suffix = webhookPath;
+			}
 		}
 
 		if (!execution) {
@@ -259,22 +316,6 @@ export class WaitingWebhooks implements IWebhookManager {
 				return { noWebhookResponse: true };
 			}
 
-			if (!execution.data.resultData.error && execution.status === 'waiting') {
-				const childNodes = workflow.getChildNodes(
-					execution.data.resultData.lastNodeExecuted as string,
-				);
-
-				const hasChildForms = childNodes.some(
-					(node) =>
-						workflow.nodes[node].type === FORM_NODE_TYPE ||
-						workflow.nodes[node].type === WAIT_NODE_TYPE,
-				);
-
-				if (hasChildForms) {
-					return { noWebhookResponse: true };
-				}
-			}
-
 			throw new NotFoundError(errorMessage);
 		}
 
diff --git a/packages/cli/src/webhooks/webhook-helpers.ts b/packages/cli/src/webhooks/webhook-helpers.ts
index 8135868fdbe..44ccd9e45f2 100644
--- a/packages/cli/src/webhooks/webhook-helpers.ts
+++ b/packages/cli/src/webhooks/webhook-helpers.ts
@@ -10,7 +10,7 @@ import type { Project } from '@n8n/db';
 import { ExecutionRepository } from '@n8n/db';
 import { Container } from '@n8n/di';
 import type express from 'express';
-import { BinaryDataService, ErrorReporter } from 'n8n-core';
+import { BinaryDataService, ErrorReporter, WAITING_TOKEN_QUERY_PARAM } from 'n8n-core';
 import type {
 	IBinaryData,
 	IDataObject,
@@ -767,7 +767,11 @@ export async function executeWebhook(
 		});
 
 		if (responseMode === 'formPage' && !didSendResponse) {
-			res.send({ formWaitingUrl: `${additionalData.formWaitingBaseUrl}/${executionId}` });
+			const formUrl = new URL(`${additionalData.formWaitingBaseUrl}/${executionId}`);
+			if (runExecutionData.resumeToken) {
+				formUrl.searchParams.set(WAITING_TOKEN_QUERY_PARAM, runExecutionData.resumeToken);
+			}
+			res.send({ formWaitingUrl: formUrl.toString() });
 			process.nextTick(() => res.end());
 			didSendResponse = true;
 		}
diff --git a/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts b/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts
index a8a09317309..07a6f0b8d68 100644
--- a/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts
+++ b/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts
@@ -772,39 +772,42 @@ describe('WorkflowExecutionService', () => {
 			expect(workflowRunnerMock.run).toHaveBeenCalledTimes(1);
 			expect(workflowRunnerMock.run).toHaveBeenCalledWith({
 				executionMode: 'error',
-				executionData: createRunExecutionData({
-					executionData: {
-						contextData: {},
-						metadata: {},
-						nodeExecutionStack: [
-							{
-								node: errorTriggerNode,
-								data: {
-									main: [
-										[
-											{
-												json: workflowErrorData,
-											},
+				executionData: {
+					...createRunExecutionData({
+						executionData: {
+							contextData: {},
+							metadata: {},
+							nodeExecutionStack: [
+								{
+									node: errorTriggerNode,
+									data: {
+										main: [
+											[
+												{
+													json: workflowErrorData,
+												},
+											],
 										],
-									],
-								},
-								source: null,
-								metadata: {
-									parentExecution: {
-										executionId: 'execution-id',
-										workflowId: 'workflow-id',
+									},
+									source: null,
+									metadata: {
+										parentExecution: {
+											executionId: 'execution-id',
+											workflowId: 'workflow-id',
+										},
 									},
 								},
-							},
-						],
-						waitingExecution: {},
-						waitingExecutionSource: {},
-					},
-					resultData: {
-						runData: {},
-					},
-					startData: {},
-				}),
+							],
+							waitingExecution: {},
+							waitingExecutionSource: {},
+						},
+						resultData: {
+							runData: {},
+						},
+						startData: {},
+					}),
+					resumeToken: expect.any(String),
+				},
 				workflowData: errorWorkflow,
 				projectId: 'project-id',
 				projectName: 'Error Project',
diff --git a/packages/cli/templates/form-invalid-token.handlebars b/packages/cli/templates/form-invalid-token.handlebars
new file mode 100644
index 00000000000..2cc8bc0971a
--- /dev/null
+++ b/packages/cli/templates/form-invalid-token.handlebars
@@ -0,0 +1,131 @@
+<!DOCTYPE html>
+<html lang='en'>
+
+<head>
+  <meta charset='UTF-8' />
+  <meta name='viewport' content='width=device-width, initial-scale=1.0' />
+  <link rel='icon' type='image/png' href='https://n8n.io/favicon.ico' />
+  <link href='https://fonts.googleapis.com/css?family=Open+Sans' rel='stylesheet' type='text/css' />
+  <title>Invalid Form Link</title>
+  <style>
+    :root {
+      /* Fonts */
+      --font-family: 'Open Sans', sans-serif;
+      --font-weight-normal: 400;
+      --font-weight-bold: 600;
+      --font-size-body: 12px;
+      --font-size-link: 12px;
+      --font-size-header: 20px;
+      --font-size-subheader: 14px;
+
+      /* Colors */
+      --color-background: #FBFCFE;
+      --color-card-bg: white;
+      --color-card-border: #DBDFE7;
+      --color-card-shadow: #634DFF0F;
+      --color-link: #7E8186;
+      --color-header: #525356;
+      --color-header-subtext: #7E8186;
+
+      /* Spacing & dimensions */
+      --padding-container-top: 24px;
+      --container-width: 448px;
+      --card-padding: 24px;
+      --card-border-radius: 8px;
+      --card-margin-bottom: 16px;
+    }
+
+    *,
+    ::after,
+    ::before {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+
+    body {
+      font-family: var(--font-family);
+      font-weight: var(--font-weight-normal);
+      font-size: var(--font-size-body);
+      display: flex;
+      flex-direction: column;
+      justify-content: start;
+      background-color: var(--color-background);
+    }
+
+    .container {
+      margin: auto;
+      text-align: center;
+      padding-top: var(--padding-container-top);
+      width: var(--container-width);
+    }
+
+    .card {
+      padding: var(--card-padding);
+      background-color: var(--color-card-bg);
+      border: 1px solid var(--color-card-border);
+      border-radius: var(--card-border-radius);
+      box-shadow: 0px 4px 16px 0px var(--color-card-shadow);
+      margin-bottom: var(--card-margin-bottom);
+    }
+
+    .n8n-link a {
+      color: var(--color-link);
+      font-weight: var(--font-weight-bold);
+      font-size: var(--font-size-link);
+      text-decoration: none;
+    }
+
+    .n8n-link svg {
+      display: inline-block;
+      vertical-align: middle;
+    }
+
+    .header h1 {
+      color: var(--color-header);
+      font-size: var(--font-size-header);
+      font-weight: var(--font-weight-normal);
+      padding-bottom: 8px;
+    }
+
+    .header p {
+      color: var(--color-header-subtext);
+      font-size: var(--font-size-subheader);
+      font-weight: var(--font-weight-normal);
+    }
+  </style>
+</head>
+
+<body>
+  <div class='container'>
+    <section>
+      <div class='card'>
+        <div class='header'>
+          <h1>Invalid Form Link</h1>
+          <p>This form link is invalid or has expired. Please request a new link.</p>
+        </div>
+      </div>
+      <div class='n8n-link'>
+        <a href='https://n8n.io/?utm_source=n8n-internal&amp;utm_medium=form-trigger&amp' target='_blank' rel='noopener noreferrer'>
+          Form automated with
+          <svg width='73' height='20' viewBox='0 0 73 20' fill='none' xmlns='http://www.w3.org/2000/svg'>
+            <path fill-rule='evenodd' clip-rule='evenodd'
+              d='M40.2373 4C40.2373 6.20915 38.4464 8 36.2373 8C34.3735 8 32.8074 6.72525 32.3633 5H26.7787C25.801 5 24.9666 5.70685 24.8059 6.6712L24.6415 7.6576C24.4854 8.59415 24.0116 9.40925 23.3417 10C24.0116 10.5907 24.4854 11.4058 24.6415 12.3424L24.8059 13.3288C24.9666 14.2931 25.801 15 26.7787 15H28.3633C28.8074 13.2747 30.3735 12 32.2373 12C34.4464 12 36.2373 13.7908 36.2373 16C36.2373 18.2092 34.4464 20 32.2373 20C30.3735 20 28.8074 18.7253 28.3633 17H26.7787C24.8233 17 23.1546 15.5864 22.8331 13.6576L22.6687 12.6712C22.508 11.7069 21.6736 11 20.6959 11H19.0645C18.5652 12.64 17.0406 13.8334 15.2373 13.8334C13.434 13.8334 11.9094 12.64 11.4101 11H9.06449C8.56519 12.64 7.04059 13.8334 5.2373 13.8334C3.02817 13.8334 1.2373 12.0424 1.2373 9.83335C1.2373 7.6242 3.02817 5.83335 5.2373 5.83335C7.16069 5.83335 8.76699 7.19085 9.15039 9H11.3242C11.7076 7.19085 13.3139 5.83335 15.2373 5.83335C17.1607 5.83335 18.767 7.19085 19.1504 9H20.6959C21.6736 9 22.508 8.29315 22.6687 7.3288L22.8331 6.3424C23.1546 4.41365 24.8233 3 26.7787 3H32.3633C32.8074 1.27478 34.3735 0 36.2373 0C38.4464 0 40.2373 1.79086 40.2373 4ZM38.2373 4C38.2373 5.10455 37.3419 6 36.2373 6C35.1327 6 34.2373 5.10455 34.2373 4C34.2373 2.89543 35.1327 2 36.2373 2C37.3419 2 38.2373 2.89543 38.2373 4ZM5.2373 11.8334C6.34189 11.8334 7.23729 10.9379 7.23729 9.83335C7.23729 8.72875 6.34189 7.83335 5.2373 7.83335C4.13273 7.83335 3.2373 8.72875 3.2373 9.83335C3.2373 10.9379 4.13273 11.8334 5.2373 11.8334ZM15.2373 11.8334C16.3419 11.8334 17.2373 10.9379 17.2373 9.83335C17.2373 8.72875 16.3419 7.83335 15.2373 7.83335C14.1327 7.83335 13.2373 8.72875 13.2373 9.83335C13.2373 10.9379 14.1327 11.8334 15.2373 11.8334ZM32.2373 18C33.3419 18 34.2373 17.1045 34.2373 16C34.2373 14.8954 33.3419 14 32.2373 14C31.1327 14 30.2373 14.8954 30.2373 16C30.2373 17.1045 31.1327 18 32.2373 18Z'
+              fill='#EA4B71'></path>
+            <path
+              d='M44.2393 15.0007H46.3277V10.5791C46.3277 9.12704 47.2088 8.49074 48.204 8.49074C49.183 8.49074 49.9498 9.14334 49.9498 10.4812V15.0007H52.038V10.057C52.038 7.91969 50.798 6.67969 48.8567 6.67969C47.633 6.67969 46.9477 7.16914 46.4582 7.80544H46.3277L46.1482 6.84284H44.2393V15.0007Z'
+              fill='#101330'></path>
+            <path
+              d='M60.0318 9.50205V9.40415C60.7498 9.0452 61.4678 8.4252 61.4678 7.20155C61.4678 5.43945 60.0153 4.37891 58.0088 4.37891C55.9528 4.37891 54.4843 5.5047 54.4843 7.23415C54.4843 8.4089 55.1698 9.0452 55.9203 9.40415V9.50205C55.0883 9.79575 54.0928 10.6768 54.0928 12.1452C54.0928 13.9237 55.5613 15.1637 57.9923 15.1637C60.4233 15.1637 61.8428 13.9237 61.8428 12.1452C61.8428 10.6768 60.8638 9.81205 60.0318 9.50205ZM57.9923 5.87995C58.8083 5.87995 59.4118 6.40205 59.4118 7.2831C59.4118 8.16415 58.7918 8.6863 57.9923 8.6863C57.1928 8.6863 56.5238 8.16415 56.5238 7.2831C56.5238 6.38575 57.1603 5.87995 57.9923 5.87995ZM57.9923 13.5974C57.0458 13.5974 56.2793 12.9937 56.2793 11.9658C56.2793 11.0358 56.9153 10.3342 57.9758 10.3342C59.0203 10.3342 59.6568 11.0195 59.6568 11.9984C59.6568 12.9937 58.9223 13.5974 57.9923 13.5974Z'
+              fill='#101330'></path>
+            <path
+              d='M63.9639 15.0007H66.0524V10.5791C66.0524 9.12704 66.9334 8.49074 67.9289 8.49074C68.9079 8.49074 69.6744 9.14334 69.6744 10.4812V15.0007H71.7629V10.057C71.7629 7.91969 70.5229 6.67969 68.5814 6.67969C67.3579 6.67969 66.6724 7.16914 66.1829 7.80544H66.0524L65.8729 6.84284H63.9639V15.0007Z'
+              fill='#101330'></path>
+          </svg>
+        </a>
+      </div>
+    </section>
+  </div>
+</body>
+
+</html>
diff --git a/packages/cli/templates/form-trigger-completion.handlebars b/packages/cli/templates/form-trigger-completion.handlebars
index a375d95902e..522f10345b6 100644
--- a/packages/cli/templates/form-trigger-completion.handlebars
+++ b/packages/cli/templates/form-trigger-completion.handlebars
@@ -158,17 +158,32 @@
 			<a id='redirectUrl' href='{{redirectUrl}}' style='display: none;'></a>
 		{{/if}}
 	<script>
+		// Get signature from URL for fetch requests
+		const url = new URL(window.location.href);
+		const formSignature = url.searchParams.get('signature');
+
 		let interval = 1000;
 		let timeoutId;
 		const checkExecutionStatus = async () => {
 			if (!interval) return;
 
 			try {
-				const response = await fetch(`${ window.location.href }/n8n-execution-status`);
+				const statusUrl = new URL(window.location.href);
+				statusUrl.pathname = statusUrl.pathname + '/n8n-execution-status';
+				// Include signature in fetch request for validation
+				if (formSignature) {
+					statusUrl.searchParams.set('signature', formSignature);
+				}
+				const response = await fetch(statusUrl.toString());
 				const text = (await response.text()).trim();
 
 				if (text === "form-waiting") {
-					window.location.replace(window.location.href);
+					// Redirect with signature in URL (will be cleaned after load)
+					const redirectUrl = new URL(window.location.href);
+					if (formSignature) {
+						redirectUrl.searchParams.set('signature', formSignature);
+					}
+					window.location.replace(redirectUrl.toString());
 					return;
 				}
 
@@ -210,7 +225,13 @@
 			}
 		});
 
-			fetch('', {
+			// Include signature in POST URL for waiting forms
+			let postUrl = '';
+			if (window.location.href.includes('form-waiting') && formSignature) {
+				postUrl = '?signature=' + encodeURIComponent(formSignature);
+			}
+
+			fetch(postUrl, {
 					method: 'POST',
 					body: {}
 			})
diff --git a/packages/cli/templates/form-trigger.handlebars b/packages/cli/templates/form-trigger.handlebars
index 75f31a0b1bf..dde2ae3e142 100644
--- a/packages/cli/templates/form-trigger.handlebars
+++ b/packages/cli/templates/form-trigger.handlebars
@@ -692,6 +692,10 @@
 			</section>
 		</div>
 		<script>
+			// Get signature from URL for fetch requests
+			const url = new URL(window.location.href);
+			let formSignature = url.searchParams.get('signature');
+
 			function updateError(errorElement, action = 'add', message = '') {
 				if(action === 'add') {
 					errorElement.textContent = message;
@@ -898,11 +902,23 @@
 				if (!interval) return;
 
 				try {
-					const response = await fetch(`${formWaitingUrl ?? window.location.href}/n8n-execution-status`);
+					const baseUrl = formWaitingUrl ?? window.location.href;
+					const url = new URL(baseUrl);
+					url.pathname = url.pathname + '/n8n-execution-status';
+					// Include signature in fetch request for validation
+					if (formSignature) {
+						url.searchParams.set('signature', formSignature);
+					}
+					const response = await fetch(url.toString());
 					const text = (await response.text()).trim();
 
 					if (text === "form-waiting") {
-						window.location.replace(formWaitingUrl ?? window.location.href);
+						// Redirect to form page with signature in URL (will be cleaned after load)
+						const redirectUrl = new URL(formWaitingUrl ?? window.location.href);
+						if (formSignature) {
+							redirectUrl.searchParams.set('signature', formSignature);
+						}
+						window.location.replace(redirectUrl.toString());
 						return;
 					}
 
@@ -991,6 +1007,9 @@
 					let postUrl = '';
 					if (!window.location.href.includes('form-waiting')) {
 						postUrl = window.location.search;
+					} else if (formSignature) {
+						// For waiting forms, include signature in POST URL since it was cleaned from address bar
+						postUrl = '?signature=' + encodeURIComponent(formSignature);
 					}
 
 					const authToken = '{{{ authToken }}}';
@@ -1017,6 +1036,9 @@
 
 								if(json?.formWaitingUrl) {
 									formWaitingUrl = json.formWaitingUrl;
+									// Extract signature from URL for subsequent requests
+									const waitingUrl = new URL(json.formWaitingUrl);
+									formSignature = waitingUrl.searchParams.get('signature');
 									clearTimeout(timeoutId);
 									timeoutId = setTimeout(checkExecutionStatus, interval);
 									return;
diff --git a/packages/cli/test/integration/task-runners/js-task-runner-execution.integration.test.ts b/packages/cli/test/integration/task-runners/js-task-runner-execution.integration.test.ts
index 6c7fa49f15e..5ea6ba7262f 100644
--- a/packages/cli/test/integration/task-runners/js-task-runner-execution.integration.test.ts
+++ b/packages/cli/test/integration/task-runners/js-task-runner-execution.integration.test.ts
@@ -136,7 +136,10 @@ describe('JS TaskRunner execution on internal mode', () => {
 		});
 
 		return {
-			additionalData: mock<IWorkflowExecuteAdditionalData>(),
+			additionalData: mock<IWorkflowExecuteAdditionalData>({
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+			}),
 			executeFunctions: mock<IExecuteFunctions>(),
 			taskSettings,
 			codeNode,
diff --git a/packages/core/nodes-testing/node-test-harness.ts b/packages/core/nodes-testing/node-test-harness.ts
index bd0219966ac..32706bbcc0a 100644
--- a/packages/core/nodes-testing/node-test-harness.ts
+++ b/packages/core/nodes-testing/node-test-harness.ts
@@ -228,6 +228,7 @@ export class NodeTestHarness {
 		const additionalData = mock<IWorkflowExecuteAdditionalData>({
 			executionId: '1',
 			webhookWaitingBaseUrl: 'http://localhost/waiting-webhook',
+			formWaitingBaseUrl: 'http://localhost/waiting-form',
 			hooks,
 			// Get from node.parameters
 			currentNodeParameters: undefined,
diff --git a/packages/core/src/execution-engine/__tests__/execution-context.test.ts b/packages/core/src/execution-engine/__tests__/execution-context.test.ts
index 20d808ced0b..677be2f5409 100644
--- a/packages/core/src/execution-engine/__tests__/execution-context.test.ts
+++ b/packages/core/src/execution-engine/__tests__/execution-context.test.ts
@@ -15,7 +15,10 @@ import { establishExecutionContext } from '../execution-context';
 
 describe('establishExecutionContext', () => {
 	const mockWorkflow = mock<Workflow>({ id: 'test-workflow-id' });
-	const mockAdditionalData = mock<IWorkflowExecuteAdditionalData>();
+	const mockAdditionalData = mock<IWorkflowExecuteAdditionalData>({
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+	});
 	const mockMode: WorkflowExecuteMode = 'manual';
 
 	describe('successful context establishment', () => {
diff --git a/packages/core/src/execution-engine/__tests__/routing-node.test.ts b/packages/core/src/execution-engine/__tests__/routing-node.test.ts
index 05eabb2033a..83c8e6213be 100644
--- a/packages/core/src/execution-engine/__tests__/routing-node.test.ts
+++ b/packages/core/src/execution-engine/__tests__/routing-node.test.ts
@@ -99,7 +99,10 @@ const getExecuteSingleFunctions = (
 
 describe('RoutingNode', () => {
 	const nodeTypes = NodeTypes();
-	const additionalData = mock<IWorkflowExecuteAdditionalData>();
+	const additionalData = mock<IWorkflowExecuteAdditionalData>({
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+	});
 
 	describe('getRequestOptionsFromParameters', () => {
 		const tests: Array<{
diff --git a/packages/core/src/execution-engine/__tests__/workflow-execute-process-process-run-execution-data.test.ts b/packages/core/src/execution-engine/__tests__/workflow-execute-process-process-run-execution-data.test.ts
index 8e265dd1084..2591ccfede3 100644
--- a/packages/core/src/execution-engine/__tests__/workflow-execute-process-process-run-execution-data.test.ts
+++ b/packages/core/src/execution-engine/__tests__/workflow-execute-process-process-run-execution-data.test.ts
@@ -35,6 +35,8 @@ describe('processRunExecutionData', () => {
 	const additionalData = mock<IWorkflowExecuteAdditionalData>({
 		hooks: { runHook },
 		restartExecutionId: undefined,
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 	});
 	const executionMode: WorkflowExecuteMode = 'trigger';
 
diff --git a/packages/core/src/execution-engine/__tests__/workflow-execute.test.ts b/packages/core/src/execution-engine/__tests__/workflow-execute.test.ts
index 13eb0cb4286..2cafb16f481 100644
--- a/packages/core/src/execution-engine/__tests__/workflow-execute.test.ts
+++ b/packages/core/src/execution-engine/__tests__/workflow-execute.test.ts
@@ -1131,7 +1131,13 @@ describe('WorkflowExecute', () => {
 				});
 			});
 		});
-		const workflowExecute = new WorkflowExecute(mock(), 'manual');
+		const workflowExecute = new WorkflowExecute(
+			mock<IWorkflowExecuteAdditionalData>({
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+			}),
+			'manual',
+		);
 
 		it('should return null if there are no nodes', () => {
 			const workflow = new Workflow({
@@ -1419,7 +1425,10 @@ describe('WorkflowExecute', () => {
 
 		const executionData = mock<IExecuteData>();
 		const runExecutionData = mock<IRunExecutionData>();
-		const additionalData = mock<IWorkflowExecuteAdditionalData>();
+		const additionalData = mock<IWorkflowExecuteAdditionalData>({
+			webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+			formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+		});
 		const abortController = new AbortController();
 		const workflowExecute = new WorkflowExecute(additionalData, 'manual');
 
@@ -1531,7 +1540,14 @@ describe('WorkflowExecute', () => {
 
 			nodeTypes.getByNameAndVersion.mockReturnValue(nodeType);
 
-			workflowExecute = new WorkflowExecute(mock(), 'manual', runExecutionData);
+			workflowExecute = new WorkflowExecute(
+				mock<IWorkflowExecuteAdditionalData>({
+					webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+					formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+				}),
+				'manual',
+				runExecutionData,
+			);
 		});
 
 		test('should handle undefined error data input correctly', () => {
@@ -1709,7 +1725,14 @@ describe('WorkflowExecute', () => {
 
 		beforeEach(() => {
 			runExecutionData = createRunExecutionData();
-			workflowExecute = new WorkflowExecute(mock(), 'manual', runExecutionData);
+			workflowExecute = new WorkflowExecute(
+				mock<IWorkflowExecuteAdditionalData>({
+					webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+					formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+				}),
+				'manual',
+				runExecutionData,
+			);
 		});
 
 		test('should initialize waitingExecutionSource if undefined', () => {
@@ -1778,7 +1801,13 @@ describe('WorkflowExecute', () => {
 		let workflowExecute: WorkflowExecute;
 
 		beforeEach(() => {
-			workflowExecute = new WorkflowExecute(mock(), 'manual');
+			workflowExecute = new WorkflowExecute(
+				mock<IWorkflowExecuteAdditionalData>({
+					webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+					formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+				}),
+				'manual',
+			);
 		});
 
 		test('should return true when there are no input connections', () => {
@@ -1902,7 +1931,14 @@ describe('WorkflowExecute', () => {
 
 		beforeEach(() => {
 			runExecutionData = createRunExecutionData();
-			workflowExecute = new WorkflowExecute(mock(), 'manual', runExecutionData);
+			workflowExecute = new WorkflowExecute(
+				mock<IWorkflowExecuteAdditionalData>({
+					webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+					formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+				}),
+				'manual',
+				runExecutionData,
+			);
 		});
 
 		test('should do nothing when there is no metadata', () => {
@@ -1996,7 +2032,14 @@ describe('WorkflowExecute', () => {
 		test('should return complete IRun object with all properties correctly set', () => {
 			const runExecutionData = mock<IRunExecutionData>();
 
-			const workflowExecute = new WorkflowExecute(mock(), 'manual', runExecutionData);
+			const workflowExecute = new WorkflowExecute(
+				mock<IWorkflowExecuteAdditionalData>({
+					webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+					formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+				}),
+				'manual',
+				runExecutionData,
+			);
 
 			const startedAt = new Date('2023-01-01T00:00:00.000Z');
 			jest.useFakeTimers().setSystemTime(startedAt);
@@ -2196,7 +2239,13 @@ describe('WorkflowExecute', () => {
 		let workflowExecute: WorkflowExecute;
 
 		beforeEach(() => {
-			workflowExecute = new WorkflowExecute(mock(), 'manual');
+			workflowExecute = new WorkflowExecute(
+				mock<IWorkflowExecuteAdditionalData>({
+					webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+					formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+				}),
+				'manual',
+			);
 		});
 
 		test('should handle undefined node output', () => {
@@ -2314,7 +2363,14 @@ describe('WorkflowExecute', () => {
 				data: {},
 				source: null,
 			};
-			workflowExecute = new WorkflowExecute(mock(), 'manual', runExecutionData);
+			workflowExecute = new WorkflowExecute(
+				mock<IWorkflowExecuteAdditionalData>({
+					webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+					formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+				}),
+				'manual',
+				runExecutionData,
+			);
 			jest.resetAllMocks();
 		});
 
@@ -2389,7 +2445,10 @@ describe('WorkflowExecute', () => {
 		const nodeTypes = mock<INodeTypes>();
 
 		const runExecutionData = mock<IRunExecutionData>();
-		const additionalData = mock<IWorkflowExecuteAdditionalData>();
+		const additionalData = mock<IWorkflowExecuteAdditionalData>({
+			webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+			formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+		});
 		const workflowExecute = new WorkflowExecute(additionalData, 'manual');
 
 		const testCases: Array<{
@@ -2530,7 +2589,10 @@ describe('WorkflowExecute', () => {
 			});
 
 			mockHooks = mock<ExecutionLifecycleHooks>();
-			additionalData = mock<IWorkflowExecuteAdditionalData>();
+			additionalData = mock<IWorkflowExecuteAdditionalData>({
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+			});
 			additionalData.hooks = mockHooks;
 			additionalData.currentNodeExecutionIndex = 0;
 
@@ -2998,6 +3060,7 @@ describe('WorkflowExecute', () => {
 						waitingExecutionSource: {},
 						runtimeData: { version: 1, establishedAt: 1763723652184, source: 'manual' },
 					},
+					resumeToken: runHook.mock.lastCall[1][0].data?.resumeToken,
 				},
 			};
 
diff --git a/packages/core/src/execution-engine/node-execution-context/__tests__/execute-context.test.ts b/packages/core/src/execution-engine/node-execution-context/__tests__/execute-context.test.ts
index c6b914e01b0..26621c570a0 100644
--- a/packages/core/src/execution-engine/node-execution-context/__tests__/execute-context.test.ts
+++ b/packages/core/src/execution-engine/node-execution-context/__tests__/execute-context.test.ts
@@ -66,7 +66,11 @@ describe('ExecuteContext', () => {
 		nullParameter: null,
 	};
 	const credentialsHelper = mock<ICredentialsHelper>();
-	const additionalData = mock<IWorkflowExecuteAdditionalData>({ credentialsHelper });
+	const additionalData = mock<IWorkflowExecuteAdditionalData>({
+		credentialsHelper,
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+	});
 	const mode: WorkflowExecuteMode = 'manual';
 	const runExecutionData = mock<IRunExecutionData>();
 	const connectionInputData: INodeExecutionData[] = [];
diff --git a/packages/core/src/execution-engine/node-execution-context/__tests__/execute-single-context.test.ts b/packages/core/src/execution-engine/node-execution-context/__tests__/execute-single-context.test.ts
index 8953d3ea55d..09c8a12f320 100644
--- a/packages/core/src/execution-engine/node-execution-context/__tests__/execute-single-context.test.ts
+++ b/packages/core/src/execution-engine/node-execution-context/__tests__/execute-single-context.test.ts
@@ -51,7 +51,11 @@ describe('ExecuteSingleContext', () => {
 		testParameter: 'testValue',
 	};
 	const credentialsHelper = mock<ICredentialsHelper>();
-	const additionalData = mock<IWorkflowExecuteAdditionalData>({ credentialsHelper });
+	const additionalData = mock<IWorkflowExecuteAdditionalData>({
+		credentialsHelper,
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+	});
 	const mode: WorkflowExecuteMode = 'manual';
 	const runExecutionData = mock<IRunExecutionData>();
 	const connectionInputData: INodeExecutionData[] = [];
diff --git a/packages/core/src/execution-engine/node-execution-context/__tests__/node-execution-context.test.ts b/packages/core/src/execution-engine/node-execution-context/__tests__/node-execution-context.test.ts
index 2aabf4a4199..b5775eae3de 100644
--- a/packages/core/src/execution-engine/node-execution-context/__tests__/node-execution-context.test.ts
+++ b/packages/core/src/execution-engine/node-execution-context/__tests__/node-execution-context.test.ts
@@ -23,7 +23,7 @@ describe('NodeExecutionContext', () => {
 	const instanceSettings = mock<InstanceSettings>({
 		instanceId: 'abc123',
 		encryptionKey: 'testEncryptionKey',
-		hmacSignatureSecret: 'testHmacSignatureSecret',
+		hmacSignatureSecret: 'test-hmac-secret',
 	});
 	Container.set(InstanceSettings, instanceSettings);
 
@@ -41,6 +41,8 @@ describe('NodeExecutionContext', () => {
 	});
 	const additionalData = mock<IWorkflowExecuteAdditionalData>({
 		credentialsHelper: mock(),
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 	});
 
 	const mode: WorkflowExecuteMode = 'manual';
@@ -228,6 +230,8 @@ describe('NodeExecutionContext', () => {
 
 			const mockAdditionalData = mock<IWorkflowExecuteAdditionalData>({
 				credentialsHelper: mockCredentialsHelper,
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 			});
 
 			const contextWithCredentials = new TestContext(
@@ -438,30 +442,43 @@ describe('NodeExecutionContext', () => {
 				mock<IWorkflowExecuteAdditionalData>({
 					executionId: '123',
 					webhookWaitingBaseUrl: 'http://localhost/waiting-webhook',
+					formWaitingBaseUrl: 'http://localhost/form-waiting',
 				}),
 				mode,
 				createRunExecutionData({
-					validateSignature: true,
 					resultData: { runData: {} },
 				}),
 			);
 			nodeTypes.getByNameAndVersion.mockReturnValue(nodeType);
 		});
-		it('should return a signed resume URL with no query parameters', () => {
+		it('should return a resume URL with HMAC signature', () => {
 			const result = testContext.getSignedResumeUrl();
 
-			expect(result).toBe(
-				'http://localhost/waiting-webhook/123/node456?signature=8e48dfd1107c1a736f70e7399493ffc50a2e8edd44f389c5f9c058da961682e7',
+			// URL should contain base path and a signature (64-char hex HMAC-SHA256)
+			expect(result).toMatch(
+				/^http:\/\/localhost\/waiting-webhook\/123\/node456\?signature=[a-f0-9]{64}$/,
 			);
 		});
 
-		it('should return a signed resume URL with query parameters', () => {
+		it('should return a resume URL with query parameters and HMAC signature', () => {
 			const result = testContext.getSignedResumeUrl({ approved: 'true' });
 
-			expect(result).toBe(
-				'http://localhost/waiting-webhook/123/node456?approved=true&signature=11c5efc97a0d6f2ea9045dba6e397596cba29dc24adb44a9ebd3d1272c991e9b',
+			// URL should contain base path, approved param, and a signature (64-char hex HMAC-SHA256)
+			expect(result).toMatch(
+				/^http:\/\/localhost\/waiting-webhook\/123\/node456\?approved=true&signature=[a-f0-9]{64}$/,
 			);
 		});
+
+		it('should generate consistent HMAC signatures for the same URL', () => {
+			const result1 = testContext.getSignedResumeUrl();
+			const result2 = testContext.getSignedResumeUrl();
+
+			// Same URL should produce the same HMAC signature
+			const token1 = new URL(result1).searchParams.get('signature');
+			const token2 = new URL(result2).searchParams.get('signature');
+
+			expect(token1).toBe(token2);
+		});
 	});
 
 	describe('nodeFeatures', () => {
diff --git a/packages/core/src/execution-engine/node-execution-context/__tests__/supply-data-context.test.ts b/packages/core/src/execution-engine/node-execution-context/__tests__/supply-data-context.test.ts
index dc90e4fbdf9..260dfd9cab4 100644
--- a/packages/core/src/execution-engine/node-execution-context/__tests__/supply-data-context.test.ts
+++ b/packages/core/src/execution-engine/node-execution-context/__tests__/supply-data-context.test.ts
@@ -59,7 +59,11 @@ describe('SupplyDataContext', () => {
 		testParameter: 'testValue',
 	};
 	const credentialsHelper = mock<ICredentialsHelper>();
-	const additionalData = mock<IWorkflowExecuteAdditionalData>({ credentialsHelper });
+	const additionalData = mock<IWorkflowExecuteAdditionalData>({
+		credentialsHelper,
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
+	});
 	const mode: WorkflowExecuteMode = 'manual';
 	const runExecutionData = mock<IRunExecutionData>({
 		resultData: { runData: {} },
@@ -270,6 +274,8 @@ describe('SupplyDataContext', () => {
 				credentialsHelper,
 				hooks: mockHooks,
 				currentNodeExecutionIndex: 0,
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 			});
 			const testRunExecutionData = mock<IRunExecutionData>({
 				resultData: {
@@ -427,6 +433,8 @@ describe('SupplyDataContext', () => {
 				credentialsHelper,
 				hooks: mockHooks,
 				currentNodeExecutionIndex: 0,
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 			});
 			const testRunExecutionData = mock<IRunExecutionData>({
 				resultData: {
@@ -494,6 +502,8 @@ describe('SupplyDataContext', () => {
 				credentialsHelper,
 				hooks: mockHooks,
 				currentNodeExecutionIndex: 0,
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 			});
 
 			// Create run execution data with plain object (not mock) to avoid mock functions
@@ -560,6 +570,8 @@ describe('SupplyDataContext', () => {
 				credentialsHelper,
 				hooks: mockHooks,
 				currentNodeExecutionIndex: 0,
+				webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+				formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 			});
 			const testRunExecutionData = mock<IRunExecutionData>({
 				resultData: {
diff --git a/packages/core/src/execution-engine/node-execution-context/node-execution-context.ts b/packages/core/src/execution-engine/node-execution-context/node-execution-context.ts
index ea8d98aa2c5..a9ac6cd04e8 100644
--- a/packages/core/src/execution-engine/node-execution-context/node-execution-context.ts
+++ b/packages/core/src/execution-engine/node-execution-context/node-execution-context.ts
@@ -41,13 +41,13 @@ import {
 	WAITING_TOKEN_QUERY_PARAM,
 } from '@/constants';
 import { InstanceSettings } from '@/instance-settings';
+import { generateUrlSignature, prepareUrlForSigning } from '@/utils/signature-helpers';
 
 import { cleanupParameterData } from './utils/cleanup-parameter-data';
 import { ensureType } from './utils/ensure-type';
 import { extractValue } from './utils/extract-value';
 import { getAdditionalKeys } from './utils/get-additional-keys';
 import { validateValueAgainstSchema } from './utils/validate-value-against-schema';
-import { generateUrlSignature, prepareUrlForSigning } from '../../utils/signature-helpers';
 
 export abstract class NodeExecutionContext implements Omit<FunctionsBase, 'getCredentials'> {
 	protected readonly instanceSettings = Container.get(InstanceSettings);
@@ -248,10 +248,6 @@ export abstract class NodeExecutionContext implements Omit<FunctionsBase, 'getCr
 		return this.instanceSettings.instanceId;
 	}
 
-	setSignatureValidationRequired() {
-		if (this.runExecutionData) this.runExecutionData.validateSignature = true;
-	}
-
 	getSignedResumeUrl(parameters: Record<string, string> = {}) {
 		const { webhookWaitingBaseUrl, executionId } = this.additionalData;
 
@@ -265,11 +261,14 @@ export abstract class NodeExecutionContext implements Omit<FunctionsBase, 'getCr
 			baseURL.searchParams.set(key, value);
 		}
 
+		// Sign the full URL (pathname + query params) using instance secret as HMAC key
+		// This ensures action parameters (like approved=true/false) cannot be tampered with
 		const urlForSigning = prepareUrlForSigning(baseURL);
-
-		const token = generateUrlSignature(urlForSigning, this.instanceSettings.hmacSignatureSecret);
-
-		baseURL.searchParams.set(WAITING_TOKEN_QUERY_PARAM, token);
+		const signature = generateUrlSignature(
+			urlForSigning,
+			this.instanceSettings.hmacSignatureSecret,
+		);
+		baseURL.searchParams.set(WAITING_TOKEN_QUERY_PARAM, signature);
 
 		return baseURL.toString();
 	}
diff --git a/packages/core/src/execution-engine/node-execution-context/utils/__tests__/get-additional-keys.test.ts b/packages/core/src/execution-engine/node-execution-context/utils/__tests__/get-additional-keys.test.ts
index 67f43ab2cbb..39cc8411075 100644
--- a/packages/core/src/execution-engine/node-execution-context/utils/__tests__/get-additional-keys.test.ts
+++ b/packages/core/src/execution-engine/node-execution-context/utils/__tests__/get-additional-keys.test.ts
@@ -1,5 +1,4 @@
 import { mock } from 'jest-mock-extended';
-import { LoggerProxy } from 'n8n-workflow';
 import type { IDataObject, IRunExecutionData, IWorkflowExecuteAdditionalData } from 'n8n-workflow';
 
 import { PLACEHOLDER_EMPTY_EXECUTION_ID } from '@/constants';
@@ -28,7 +27,6 @@ describe('getAdditionalKeys', () => {
 	});
 
 	beforeAll(() => {
-		LoggerProxy.init(mock());
 		externalSecretsProxy.hasProvider.mockReturnValue(true);
 		externalSecretsProxy.hasSecret.mockReturnValue(true);
 		externalSecretsProxy.getSecret.mockReturnValue('secret-value');
@@ -90,12 +88,40 @@ describe('getAdditionalKeys', () => {
 		}).toThrow();
 	});
 
-	it('should correctly set resume URLs', () => {
+	it('should set plain resume URLs when runExecutionData has no resumeToken', () => {
+		const dataWithoutToken = mock<IRunExecutionData>({
+			resumeToken: undefined,
+			resultData: { runData: {}, metadata: {} },
+		});
+		const result = getAdditionalKeys(additionalData, 'manual', dataWithoutToken);
+
+		expect(result.$execution?.resumeUrl).toBe('https://webhook.test/123');
+		expect(result.$execution?.resumeFormUrl).toBe('https://form.test/123');
+		expect(result.$resumeWebhookUrl).toBe('https://webhook.test/123');
+	});
+
+	it('should append resumeToken to resume URLs when runExecutionData has a token', () => {
+		const dataWithToken = mock<IRunExecutionData>({
+			resumeToken: 'a'.repeat(64),
+			resultData: { runData: {}, metadata: {} },
+		});
+
+		const result = getAdditionalKeys(additionalData, 'manual', dataWithToken);
+
+		const resumeUrl = new URL(result.$execution?.resumeUrl ?? '');
+		const resumeFormUrl = new URL(result.$execution?.resumeFormUrl ?? '');
+		const deprecatedUrl = new URL(result.$resumeWebhookUrl ?? '');
+
+		expect(resumeUrl.searchParams.get('signature')).toBe('a'.repeat(64));
+		expect(resumeFormUrl.searchParams.get('signature')).toBe('a'.repeat(64));
+		expect(deprecatedUrl.searchParams.get('signature')).toBe('a'.repeat(64));
+	});
+
+	it('should set plain resume URLs when runExecutionData is null', () => {
 		const result = getAdditionalKeys(additionalData, 'manual', null);
 
 		expect(result.$execution?.resumeUrl).toBe('https://webhook.test/123');
 		expect(result.$execution?.resumeFormUrl).toBe('https://form.test/123');
-		expect(result.$resumeWebhookUrl).toBe('https://webhook.test/123'); // Test deprecated property
 	});
 
 	it('should return test mode when manual', () => {
diff --git a/packages/core/src/execution-engine/node-execution-context/utils/get-additional-keys.ts b/packages/core/src/execution-engine/node-execution-context/utils/get-additional-keys.ts
index 3645fa20c8f..58871d8494b 100644
--- a/packages/core/src/execution-engine/node-execution-context/utils/get-additional-keys.ts
+++ b/packages/core/src/execution-engine/node-execution-context/utils/get-additional-keys.ts
@@ -6,7 +6,7 @@ import type {
 } from 'n8n-workflow';
 import { LoggerProxy } from 'n8n-workflow';
 
-import { PLACEHOLDER_EMPTY_EXECUTION_ID } from '@/constants';
+import { PLACEHOLDER_EMPTY_EXECUTION_ID, WAITING_TOKEN_QUERY_PARAM } from '@/constants';
 
 import {
 	setWorkflowExecutionMetadata,
@@ -16,6 +16,12 @@ import {
 } from './execution-metadata';
 import { getSecretsProxy } from './get-secrets-proxy';
 
+function appendResumeToken(url: string, token: string): string {
+	const urlObj = new URL(url);
+	urlObj.searchParams.set(WAITING_TOKEN_QUERY_PARAM, token);
+	return urlObj.toString();
+}
+
 /** Returns the additional keys for Expressions and Function-Nodes */
 export function getAdditionalKeys(
 	additionalData: IWorkflowExecuteAdditionalData,
@@ -23,8 +29,13 @@ export function getAdditionalKeys(
 	runExecutionData: IRunExecutionData | null,
 ): IWorkflowDataProxyAdditionalKeys {
 	const executionId = additionalData.executionId ?? PLACEHOLDER_EMPTY_EXECUTION_ID;
-	const resumeUrl = `${additionalData.webhookWaitingBaseUrl}/${executionId}`;
-	const resumeFormUrl = `${additionalData.formWaitingBaseUrl}/${executionId}`;
+
+	let resumeUrl = `${additionalData.webhookWaitingBaseUrl}/${executionId}`;
+	let resumeFormUrl = `${additionalData.formWaitingBaseUrl}/${executionId}`;
+	if (runExecutionData?.resumeToken) {
+		resumeUrl = appendResumeToken(resumeUrl, runExecutionData.resumeToken);
+		resumeFormUrl = appendResumeToken(resumeFormUrl, runExecutionData.resumeToken);
+	}
 	return {
 		$execution: {
 			id: executionId,
diff --git a/packages/core/src/execution-engine/workflow-execute.ts b/packages/core/src/execution-engine/workflow-execute.ts
index eed1d508a00..f118b4faac5 100644
--- a/packages/core/src/execution-engine/workflow-execute.ts
+++ b/packages/core/src/execution-engine/workflow-execute.ts
@@ -181,6 +181,7 @@ export class WorkflowExecute {
 			resultData: {
 				pinData,
 			},
+			resumeToken: this.runExecutionData.resumeToken,
 		});
 
 		return this.processRunExecutionData(workflow);
@@ -295,6 +296,7 @@ export class WorkflowExecute {
 				waitingExecution,
 				waitingExecutionSource,
 			},
+			resumeToken: this.runExecutionData.resumeToken,
 		});
 
 		// Still passing the original workflow here, because the WorkflowDataProxy
diff --git a/packages/core/src/utils/__tests__/signature-helpers.test.ts b/packages/core/src/utils/__tests__/signature-helpers.test.ts
deleted file mode 100644
index cc98c5d45f7..00000000000
--- a/packages/core/src/utils/__tests__/signature-helpers.test.ts
+++ /dev/null
@@ -1,26 +0,0 @@
-import { generateUrlSignature } from '../signature-helpers';
-
-describe('signature-helpers', () => {
-	const secret = 'test-secret';
-	const baseUrl = 'http://localhost:5678';
-
-	describe('generateUrlSignature', () => {
-		it('should generate a signature token', () => {
-			const url = `${baseUrl}/webhook/abc`;
-			const token = generateUrlSignature(url, secret);
-			expect(token).toBe('fe7f1e4c11f875b2d24681e0b28d0bfed6d66381af5b0ab9633da2202a895243');
-		});
-
-		it('should generate a different token for a different url', () => {
-			const url = `${baseUrl}/webhook/def`;
-			const token = generateUrlSignature(url, secret);
-			expect(token).toBe('ab8e72e7a0e47689596a6550283cbef9e2797b7370b0d6d99c89ee7c2394ea8f');
-		});
-
-		it('should generate a different token for a different secret', () => {
-			const url = `${baseUrl}/webhook/abc`;
-			const token = generateUrlSignature(url, 'different-secret');
-			expect(token).toBe('84a99b6950e12ffcf1fcf8e0fc0986c0c8a46df331932efd79b17e0c11801bd2');
-		});
-	});
-});
diff --git a/packages/core/src/utils/signature-helpers.ts b/packages/core/src/utils/signature-helpers.ts
index fa8d8081a75..434a9604f81 100644
--- a/packages/core/src/utils/signature-helpers.ts
+++ b/packages/core/src/utils/signature-helpers.ts
@@ -1,16 +1,40 @@
-import crypto from 'crypto';
+import { createHmac, timingSafeEqual } from 'crypto';
+
+import { WAITING_TOKEN_QUERY_PARAM } from '../constants';
 
 /**
- * Generate signature token from url and secret
+ * Generate HMAC-SHA256 signature from URL and secret.
+ * Used to create tamper-proof resume URLs that include action parameters.
  */
-export function generateUrlSignature(url: string, secret: string) {
-	const token = crypto.createHmac('sha256', secret).update(url).digest('hex');
-	return token;
+export function generateUrlSignature(url: string, secret: string): string {
+	return createHmac('sha256', secret).update(url).digest('hex');
 }
 
 /**
  * Prepare url for signing
  */
-export function prepareUrlForSigning(url: URL) {
-	return `${url.host}${url.pathname}${url.search}`;
+export function prepareUrlForSigning(url: URL): string {
+	const urlForSigning = new URL(url.toString());
+	urlForSigning.searchParams.delete(WAITING_TOKEN_QUERY_PARAM);
+	return `${urlForSigning.pathname}${urlForSigning.search}`;
+}
+
+/**
+ * Validate that a provided signature matches the expected HMAC signature for the URL.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @param providedSignature - The signature from the request
+ * @param url - The full request URL
+ * @param secret - The HMAC secret (instance signature secret)
+ * @returns true if signature is valid
+ */
+export function validateUrlSignature(providedSignature: string, url: URL, secret: string): boolean {
+	const urlString = prepareUrlForSigning(url);
+	const expectedSignature = generateUrlSignature(urlString, secret);
+
+	if (providedSignature.length !== expectedSignature.length) {
+		return false;
+	}
+
+	return timingSafeEqual(Buffer.from(providedSignature), Buffer.from(expectedSignature));
 }
diff --git a/packages/core/test/helpers/index.ts b/packages/core/test/helpers/index.ts
index a8e31e87b3e..cb3e1475cfa 100644
--- a/packages/core/test/helpers/index.ts
+++ b/packages/core/test/helpers/index.ts
@@ -57,6 +57,8 @@ export function WorkflowExecuteAdditionalData(
 	return mock<IWorkflowExecuteAdditionalData>({
 		hooks,
 		currentNodeExecutionIndex: 0,
+		webhookWaitingBaseUrl: 'http://localhost:5678/webhook-waiting',
+		formWaitingBaseUrl: 'http://localhost:5678/form-waiting',
 		// Not setting this to undefined would set it to a mock which would trigger
 		// conditions in the WorkflowExecute which only check if a property exists,
 		// e.g. `if (!this.additionalData.restartExecutionId)`. This would for
diff --git a/packages/frontend/editor-ui/src/app/stores/workflows.store.test.ts b/packages/frontend/editor-ui/src/app/stores/workflows.store.test.ts
index d32f9423b2d..8bdadf95747 100644
--- a/packages/frontend/editor-ui/src/app/stores/workflows.store.test.ts
+++ b/packages/frontend/editor-ui/src/app/stores/workflows.store.test.ts
@@ -100,6 +100,17 @@ vi.mock('@n8n/permissions', () => ({
 	})),
 }));
 
+vi.mock('@/features/execution/executions/executions.utils', async (importOriginal) => {
+	const original = await importOriginal<object>();
+	return {
+		...original,
+		openFormPopupWindow: vi.fn(),
+	};
+});
+
+// Import the mocked function after the mock is set up
+import { openFormPopupWindow } from '@/features/execution/executions/executions.utils';
+
 describe('useWorkflowsStore', () => {
 	let workflowsStore: ReturnType<typeof useWorkflowsStore>;
 	let workflowsListStore: ReturnType<typeof useWorkflowsListStore>;
@@ -1264,14 +1275,17 @@ describe('useWorkflowsStore', () => {
 
 			expect(workflowsStore.workflowExecutionData).toEqual({
 				...runWithExistingRunData,
-				data: createRunExecutionData({
-					resultData: {
-						lastNodeExecuted: 'When clicking ‘Execute workflow’',
-						runData: {
-							[successEvent.nodeName]: [successEvent.data],
+				data: {
+					...createRunExecutionData({
+						resultData: {
+							lastNodeExecuted: 'When clicking ‘Execute workflow’',
+							runData: {
+								[successEvent.nodeName]: [successEvent.data],
+							},
 						},
-					},
-				}),
+					}),
+					resumeToken: expect.any(String),
+				},
 			});
 		});
 
@@ -1319,14 +1333,17 @@ describe('useWorkflowsStore', () => {
 
 			expect(workflowsStore.workflowExecutionData).toEqual({
 				...executionResponse,
-				data: createRunExecutionData({
-					resultData: {
-						lastNodeExecuted: 'When clicking ‘Execute workflow’',
-						runData: {
-							[successEvent.nodeName]: [successEventWithExecutionIndex.data],
+				data: {
+					...createRunExecutionData({
+						resultData: {
+							lastNodeExecuted: 'When clicking ‘Execute workflow’',
+							runData: {
+								[successEvent.nodeName]: [successEventWithExecutionIndex.data],
+							},
 						},
-					},
-				}),
+					}),
+					resumeToken: expect.any(String),
+				},
 			});
 		});
 	});
@@ -2448,6 +2465,93 @@ describe('useWorkflowsStore', () => {
 		});
 	});
 
+	describe('updateNodeExecutionStatus - form popup', () => {
+		beforeEach(() => {
+			vi.mocked(openFormPopupWindow).mockClear();
+		});
+
+		it('should open form popup using metadata.resumeFormUrl when present', () => {
+			const nodeName = 'Wait';
+			const executionId = 'exec-123';
+			const signedFormUrl = 'http://localhost:5678/form-waiting/exec-123?signature=abc123';
+
+			// Setup workflow with a node
+			workflowsStore.setNodes([createTestNode({ name: nodeName, type: WAIT_NODE_TYPE })]);
+
+			// Initialize execution data directly
+			workflowsStore.workflowExecutionData = {
+				id: executionId,
+				workflowData: createTestWorkflow(),
+				finished: false,
+				mode: 'manual',
+				startedAt: new Date(),
+				createdAt: new Date(),
+				status: 'running',
+				data: createEmptyRunExecutionData(),
+			} as IExecutionResponse;
+
+			// Call updateNodeExecutionStatus with waiting status and metadata.resumeFormUrl
+			workflowsStore.updateNodeExecutionStatus({
+				executionId,
+				nodeName,
+				data: {
+					executionStatus: 'waiting',
+					startTime: Date.now(),
+					executionTime: 0,
+					executionIndex: 0,
+					source: [],
+					hints: [],
+					metadata: {
+						resumeFormUrl: signedFormUrl,
+					},
+				},
+				itemCountByConnectionType: {},
+			});
+
+			// Should open form popup with the signed URL from metadata
+			expect(openFormPopupWindow).toHaveBeenCalledWith(signedFormUrl);
+		});
+
+		it('should not open form popup when metadata.resumeFormUrl is not present', () => {
+			const nodeName = 'Wait';
+			const executionId = 'exec-456';
+
+			// Setup workflow with a node
+			workflowsStore.setNodes([createTestNode({ name: nodeName, type: WAIT_NODE_TYPE })]);
+
+			// Initialize execution data directly
+			workflowsStore.workflowExecutionData = {
+				id: executionId,
+				workflowData: createTestWorkflow(),
+				finished: false,
+				mode: 'manual',
+				startedAt: new Date(),
+				createdAt: new Date(),
+				status: 'running',
+				data: createEmptyRunExecutionData(),
+			} as IExecutionResponse;
+
+			// Call updateNodeExecutionStatus with waiting status but NO metadata.resumeFormUrl
+			workflowsStore.updateNodeExecutionStatus({
+				executionId,
+				nodeName,
+				data: {
+					executionStatus: 'waiting',
+					startTime: Date.now(),
+					executionTime: 0,
+					executionIndex: 0,
+					source: [],
+					hints: [],
+					// No metadata
+				},
+				itemCountByConnectionType: {},
+			});
+
+			// Should NOT open form popup
+			expect(openFormPopupWindow).not.toHaveBeenCalled();
+		});
+	});
+
 	describe('getNodeTypes() - getByNameAndVersion', () => {
 		beforeEach(() => {
 			setActivePinia(createPinia());
diff --git a/packages/frontend/editor-ui/src/app/stores/workflows.store.ts b/packages/frontend/editor-ui/src/app/stores/workflows.store.ts
index b196e2e8b5f..0204b837411 100644
--- a/packages/frontend/editor-ui/src/app/stores/workflows.store.ts
+++ b/packages/frontend/editor-ui/src/app/stores/workflows.store.ts
@@ -1164,13 +1164,6 @@ export const useWorkflowsStore = defineStore(STORES.WORKFLOWS, () => {
 		}
 	}
 
-	function getFormResumeUrl(node: INode, executionId: string) {
-		const { webhookSuffix } = (node.parameters.options ?? {}) as IDataObject;
-		const suffix = webhookSuffix && typeof webhookSuffix !== 'object' ? `/${webhookSuffix}` : '';
-		const testUrl = `${rootStore.formWaitingUrl}/${executionId}${suffix}`;
-		return testUrl;
-	}
-
 	function addNodeExecutionStartedData(data: NodeExecuteBefore['data']): void {
 		const currentData =
 			workflowExecutionStartedData.value?.[0] === data.executionId
@@ -1191,7 +1184,7 @@ export const useWorkflowsStore = defineStore(STORES.WORKFLOWS, () => {
 			throw new Error('The "workflowExecutionData" is not initialized!');
 		}
 
-		const { nodeName, data, executionId } = pushData;
+		const { nodeName, data } = pushData;
 		const isNodeWaiting = data.executionStatus === 'waiting';
 		const node = getNodeByName(nodeName);
 		if (!node) return;
@@ -1207,12 +1200,8 @@ export const useWorkflowsStore = defineStore(STORES.WORKFLOWS, () => {
 			tasksData.push(data);
 			workflowExecutionResultDataLastUpdate.value = Date.now();
 
-			if (
-				node.type === FORM_NODE_TYPE ||
-				(node.type === WAIT_NODE_TYPE && node.parameters.resume === 'form')
-			) {
-				const testUrl = getFormResumeUrl(node, executionId);
-				openFormPopupWindow(testUrl);
+			if (data.metadata?.resumeFormUrl) {
+				openFormPopupWindow(data.metadata.resumeFormUrl);
 			}
 		} else {
 			// If we process items in parallel on subnodes we get several placeholder taskData items.
diff --git a/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.test.ts b/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.test.ts
index 2b0e1b70713..07ca0b46ec0 100644
--- a/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.test.ts
+++ b/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.test.ts
@@ -538,6 +538,54 @@ describe('waitingNodeTooltip', () => {
 		// Test without workflow - should return the raw tooltip string
 		expect(waitingNodeTooltip(node)).toBe('Waiting for approval...');
 	});
+
+	it('should use metadata.resumeUrl when provided for webhook resume type', () => {
+		const node: INodeUi = {
+			id: '1',
+			name: 'Wait',
+			type: 'n8n-nodes-base.wait',
+			typeVersion: 1,
+			position: [0, 0],
+			parameters: {
+				resume: 'webhook',
+			},
+		};
+		const metadata = { resumeUrl: 'http://signed.com/wait/123?signature=abc123' };
+		const result = waitingNodeTooltip(node, mockWorkflow, metadata);
+		expect(result).toContain('http://signed.com/wait/123?signature=abc123');
+	});
+
+	it('should use metadata.resumeFormUrl when provided for form resume type', () => {
+		const node: INodeUi = {
+			id: '1',
+			name: 'Wait',
+			type: 'n8n-nodes-base.wait',
+			typeVersion: 1,
+			position: [0, 0],
+			parameters: {
+				resume: 'form',
+			},
+		};
+		const metadata = { resumeFormUrl: 'http://signed.com/form/123?signature=xyz789' };
+		const result = waitingNodeTooltip(node, mockWorkflow, metadata);
+		expect(result).toContain('http://signed.com/form/123?signature=xyz789');
+	});
+
+	it('should fall back to constructed URL when metadata is not provided', () => {
+		const node: INodeUi = {
+			id: '1',
+			name: 'Wait',
+			type: 'n8n-nodes-base.wait',
+			typeVersion: 1,
+			position: [0, 0],
+			parameters: {
+				resume: 'webhook',
+			},
+		};
+		// No metadata passed - should use constructed URL from store
+		const result = waitingNodeTooltip(node, mockWorkflow);
+		expect(result).toContain('http://localhost:5678/webhook-waiting/123');
+	});
 });
 
 const executionErrorFactory = (error: Record<string, unknown>) =>
diff --git a/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.ts b/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.ts
index ee52cd6bc4c..0c4acc991cf 100644
--- a/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.ts
+++ b/packages/frontend/editor-ui/src/features/execution/executions/executions.utils.ts
@@ -185,31 +185,41 @@ export async function displayForm({
 	}
 }
 
-export const waitingNodeTooltip = (node: INodeUi | null | undefined, workflow?: Workflow) => {
+export const waitingNodeTooltip = (
+	node: INodeUi | null | undefined,
+	workflow?: Workflow,
+	metadata?: { resumeUrl?: string; resumeFormUrl?: string },
+) => {
 	if (!node) return '';
 	try {
-		const waitingNodeTooltip = useNodeTypesStore().getNodeType(node.type)?.waitingNodeTooltip;
-		if (waitingNodeTooltip) {
+		const waitingNodeTooltipFromNodeType = useNodeTypesStore().getNodeType(
+			node.type,
+		)?.waitingNodeTooltip;
+		if (waitingNodeTooltipFromNodeType) {
 			const activeExecutionId = useWorkflowsStore().activeExecutionId as string;
+			// Use signed URLs from metadata if available
+			// otherwise fall back to constructing URLs without token
 			const additionalData: IWorkflowDataProxyAdditionalKeys = {
 				$execution: {
 					id: activeExecutionId,
 					mode: 'test',
-					resumeUrl: `${useRootStore().webhookWaitingUrl}/${activeExecutionId}`,
-					resumeFormUrl: `${useRootStore().formWaitingUrl}/${activeExecutionId}`,
+					resumeUrl:
+						metadata?.resumeUrl ?? `${useRootStore().webhookWaitingUrl}/${activeExecutionId}`,
+					resumeFormUrl:
+						metadata?.resumeFormUrl ?? `${useRootStore().formWaitingUrl}/${activeExecutionId}`,
 				},
 			};
 			if (workflow) {
 				const tooltip = workflow.expression.getSimpleParameterValue(
 					node,
-					waitingNodeTooltip,
+					waitingNodeTooltipFromNodeType,
 					'internal',
 					additionalData,
 				);
 
 				return String(tooltip);
-			} else if (waitingNodeTooltip) {
-				return waitingNodeTooltip;
+			} else if (waitingNodeTooltipFromNodeType) {
+				return waitingNodeTooltipFromNodeType;
 			}
 		}
 	} catch (error) {
diff --git a/packages/frontend/editor-ui/src/features/execution/logs/components/LogsViewRunData.vue b/packages/frontend/editor-ui/src/features/execution/logs/components/LogsViewRunData.vue
index 7ec77b8cc2e..64d339ca54d 100644
--- a/packages/frontend/editor-ui/src/features/execution/logs/components/LogsViewRunData.vue
+++ b/packages/frontend/editor-ui/src/features/execution/logs/components/LogsViewRunData.vue
@@ -121,7 +121,11 @@ function handleChangeDisplayMode(value: IRunDataDisplayMode) {
 
 		<template #node-waiting>
 			<NDVEmptyState :title="locale.baseText('ndv.output.waitNodeWaiting.title')" wide>
-				<span v-n8n-html="waitingNodeTooltip(logEntry.node, logEntry.workflow)" />
+				<span
+					v-n8n-html="
+						waitingNodeTooltip(logEntry.node, logEntry.workflow, logEntry.runData?.metadata)
+					"
+				/>
 			</NDVEmptyState>
 		</template>
 
diff --git a/packages/frontend/editor-ui/src/features/ndv/panel/components/InputPanel.vue b/packages/frontend/editor-ui/src/features/ndv/panel/components/InputPanel.vue
index 9b39535678e..8947a416830 100644
--- a/packages/frontend/editor-ui/src/features/ndv/panel/components/InputPanel.vue
+++ b/packages/frontend/editor-ui/src/features/ndv/panel/components/InputPanel.vue
@@ -249,12 +249,15 @@ const activeNodeType = computed(() => {
 
 const waitingMessage = computed(() => {
 	const parentNode = parentNodes.value[0];
-	return (
-		parentNode &&
-		waitingNodeTooltip(
-			workflowDocumentStore?.value?.getNodeByName(parentNode.name) ?? null,
-			props.workflowObject,
-		)
+	if (!parentNode) return '';
+
+	const runData = workflowsStore.getWorkflowExecution?.data?.resultData?.runData;
+	const parentRunData = runData?.[parentNode.name]?.[0];
+
+	return waitingNodeTooltip(
+		workflowDocumentStore?.value?.getNodeByName(parentNode.name) ?? null,
+		props.workflowObject,
+		parentRunData?.metadata,
 	);
 });
 
diff --git a/packages/frontend/editor-ui/src/features/ndv/panel/components/OutputPanel.vue b/packages/frontend/editor-ui/src/features/ndv/panel/components/OutputPanel.vue
index b41df29aa59..d48ecde915b 100644
--- a/packages/frontend/editor-ui/src/features/ndv/panel/components/OutputPanel.vue
+++ b/packages/frontend/editor-ui/src/features/ndv/panel/components/OutputPanel.vue
@@ -471,7 +471,7 @@ function handleChangeCollapsingColumn(columnName: string | null) {
 
 		<template #node-waiting>
 			<NDVEmptyState :title="i18n.baseText('ndv.output.waitNodeWaiting.title')" wide>
-				<span v-n8n-html="waitingNodeTooltip(node, workflowObject)" />
+				<span v-n8n-html="waitingNodeTooltip(node, workflowObject, runTaskData?.metadata)" />
 			</NDVEmptyState>
 		</template>
 
diff --git a/packages/nodes-base/nodes/Form/Form.node.ts b/packages/nodes-base/nodes/Form/Form.node.ts
index bddf18cc7d2..00ec4c0a5fb 100644
--- a/packages/nodes-base/nodes/Form/Form.node.ts
+++ b/packages/nodes-base/nodes/Form/Form.node.ts
@@ -438,6 +438,11 @@ export class Form extends Node {
 		}
 
 		const waitTill = configureWaitTillDate(context, 'root');
+
+		// Add signed resumeFormUrl to metadata for frontend to use when opening form popup
+		const resumeFormUrl = context.evaluateExpression('{{ $execution.resumeFormUrl }}', 0) as string;
+		context.setMetadata({ resumeFormUrl });
+
 		await context.putExecutionToWait(waitTill);
 
 		context.sendResponse({
diff --git a/packages/nodes-base/nodes/Github/Github.node.ts b/packages/nodes-base/nodes/Github/Github.node.ts
index 61623598fd2..307d3309396 100644
--- a/packages/nodes-base/nodes/Github/Github.node.ts
+++ b/packages/nodes-base/nodes/Github/Github.node.ts
@@ -2373,6 +2373,9 @@ export class Github implements INodeType {
 				throw new NodeApiError(this.getNode(), error as JsonObject);
 			}
 
+			// Add signed resumeUrl to metadata for frontend to use in waiting tooltip
+			this.setMetadata({ resumeUrl });
+
 			await this.putExecutionToWait(WAIT_INDEFINITELY);
 			return [this.getInputData()];
 		}
diff --git a/packages/nodes-base/nodes/Wait/Wait.node.ts b/packages/nodes-base/nodes/Wait/Wait.node.ts
index a367432cfbd..8ddb01fad29 100644
--- a/packages/nodes-base/nodes/Wait/Wait.node.ts
+++ b/packages/nodes-base/nodes/Wait/Wait.node.ts
@@ -233,12 +233,22 @@ const waitingTooltip = (
 ) => {
 	const resume = parameters.resume;
 
-	if (['webhook', 'form'].includes(resume as string)) {
+	if (['webhook', 'form'].includes(resume)) {
 		const { webhookSuffix } = (parameters.options ?? {}) as { webhookSuffix: string };
 		const suffix = webhookSuffix && typeof webhookSuffix !== 'object' ? `/${webhookSuffix}` : '';
 
 		let message = '';
-		const url = `${resume === 'form' ? formResumeUrl : resumeUrl}${suffix}`;
+		const baseUrl = resume === 'form' ? formResumeUrl : resumeUrl;
+
+		// Insert suffix before query parameters if present (for URLs with ?signature=token)
+		// Note: Cannot use URL class here because it is not available in expressions
+		let url: string;
+		const queryIndex = baseUrl.indexOf('?');
+		if (queryIndex !== -1) {
+			url = baseUrl.slice(0, queryIndex) + suffix + baseUrl.slice(queryIndex);
+		} else {
+			url = baseUrl + suffix;
+		}
 
 		if (resume === 'form') {
 			message = 'Execution will continue when form is submitted on ';
@@ -502,10 +512,23 @@ export class Wait extends Webhook {
 			let hasFormTrigger = false;
 
 			if (resume === 'form') {
+				// Add signed resumeFormUrl to metadata for frontend to use when opening form popup
+				const resumeFormUrl = context.evaluateExpression(
+					'{{ $execution.resumeFormUrl }}',
+					0,
+				) as string;
+				context.setMetadata({ resumeFormUrl });
+
 				const parentNodes = context.getParentNodes(context.getNode().name);
 				hasFormTrigger = parentNodes.some((node) => node.type === FORM_TRIGGER_NODE_TYPE);
 			}
 
+			if (resume === 'webhook') {
+				// Add signed resumeUrl to metadata for frontend to use in waiting tooltip
+				const resumeUrl = context.evaluateExpression('{{ $execution.resumeUrl }}', 0) as string;
+				context.setMetadata({ resumeUrl });
+			}
+
 			const returnData = await this.configureAndPutToWait(context);
 
 			if (resume === 'form' && hasFormTrigger) {
diff --git a/packages/nodes-base/utils/sendAndWait/utils.ts b/packages/nodes-base/utils/sendAndWait/utils.ts
index 95f7c9f3d41..3c34cdc17f6 100644
--- a/packages/nodes-base/utils/sendAndWait/utils.ts
+++ b/packages/nodes-base/utils/sendAndWait/utils.ts
@@ -487,7 +487,6 @@ export function getSendAndWaitConfig(context: IExecuteFunctions): SendAndWaitCon
 
 	const responseType = context.getNodeParameter('responseType', 0, 'approval') as string;
 
-	context.setSignatureValidationRequired();
 	const approvedSignedResumeUrl = context.getSignedResumeUrl({ approved: 'true' });
 
 	if (responseType === 'freeText' || responseType === 'customForm') {
diff --git a/packages/testing/playwright/pages/CanvasPage.ts b/packages/testing/playwright/pages/CanvasPage.ts
index 803ed0167fd..7ac03d6ab7d 100644
--- a/packages/testing/playwright/pages/CanvasPage.ts
+++ b/packages/testing/playwright/pages/CanvasPage.ts
@@ -172,6 +172,9 @@ export class CanvasPage extends BasePage {
 	}
 
 	async clickExecuteWorkflowButton(triggerNodeName?: string): Promise<void> {
+		if (triggerNodeName) {
+			await this.nodeByName(triggerNodeName).hover();
+		}
 		await this.getExecuteWorkflowButton(triggerNodeName).click();
 	}
 
diff --git a/packages/testing/playwright/tests/e2e/api/wait-form-resume.spec.ts b/packages/testing/playwright/tests/e2e/api/wait-form-resume.spec.ts
new file mode 100644
index 00000000000..cca82ae8f99
--- /dev/null
+++ b/packages/testing/playwright/tests/e2e/api/wait-form-resume.spec.ts
@@ -0,0 +1,96 @@
+import flatted from 'flatted';
+
+import { test, expect } from '../../../fixtures/base';
+
+test.describe('Wait Node Form Resume', () => {
+	test.describe('signature validation', () => {
+		test('should reject unsigned and tampered requests, accept valid signature', async ({
+			api,
+		}) => {
+			const { webhookPath, workflowId } =
+				await api.workflows.importWorkflowFromFile('wait-form-resume.json');
+
+			// Trigger workflow via webhook to reach waiting state
+			const triggerResponse = await api.webhooks.trigger(`/webhook/${webhookPath}`, {
+				method: 'POST',
+			});
+			expect(triggerResponse.ok()).toBe(true);
+
+			// Wait for workflow to reach waiting state
+			const execution = await api.workflows.waitForWorkflowStatus(workflowId, 'waiting');
+			expect(execution).toBeDefined();
+
+			const unsignedResponse = await api.webhooks.trigger(`/form-waiting/${execution.id}`);
+			expect(unsignedResponse.status()).toBe(401);
+
+			// Verify HTML error page (not JSON)
+			const unsignedText = await unsignedResponse.text();
+			expect(unsignedText).toContain('<!DOCTYPE html>');
+			expect(unsignedText).toContain('Invalid Form Link');
+
+			// Try tampered signature - should also get 401
+			const tamperedResponse = await api.webhooks.trigger(
+				`/form-waiting/${execution.id}?signature=tampered_invalid_signature_abc123`,
+			);
+			expect(tamperedResponse.status()).toBe(401);
+
+			// Get the valid signed URL from execution data
+			const fullExecution = await api.workflows.getExecution(execution.id);
+			expect(fullExecution.data).toBeDefined();
+
+			const executionData = flatted.parse(fullExecution.data);
+			const captureNodeOutput = executionData.resultData.runData['Capture Form URL'];
+			expect(captureNodeOutput).toBeDefined();
+
+			const formUrl = captureNodeOutput[0].data.main[0][0].json.formUrl;
+			expect(formUrl).toBeDefined();
+			expect(formUrl).toContain('signature=');
+
+			// Extract path with signature and make valid request
+			const urlObj = new URL(formUrl);
+			const signedPath = `${urlObj.pathname}${urlObj.search}`;
+
+			const signedResponse = await api.webhooks.trigger(signedPath, {
+				maxNotFoundRetries: 0,
+			});
+			expect(signedResponse.ok()).toBe(true);
+		});
+	});
+
+	test.describe('manual execution form popup', () => {
+		test('should open form when Wait node enters waiting state', async ({ n8n }) => {
+			await n8n.start.fromBlankCanvas();
+
+			await n8n.canvas.clickNodeCreatorPlusButton();
+			await n8n.canvas.nodeCreatorItemByName('Trigger manually').click();
+
+			await n8n.canvas.addNode('Wait', { closeNDV: false });
+			await n8n.ndv.setParameterDropdown('resume', 'On Form Submitted');
+			await n8n.ndv.fillParameterInput('Form Title', 'Test Wait Form');
+			await n8n.ndv.addFixedCollectionItem();
+			await n8n.ndv.fillParameterInputByName('fieldLabel', 'Test Field');
+			await n8n.ndv.clickBackToCanvasButton();
+
+			const popupPromise = n8n.page.context().waitForEvent('page');
+			await n8n.canvas.clickExecuteWorkflowButton();
+
+			const formPage = await popupPromise;
+
+			await expect(formPage.getByText('Test Wait Form')).toBeVisible();
+			await expect(formPage.getByLabel('Test Field')).toBeVisible();
+
+			const url = formPage.url();
+			expect(url).toContain('form-waiting');
+			expect(url).toContain('signature=');
+
+			await formPage.getByLabel('Test Field').fill('test value');
+			await formPage.getByRole('button', { name: 'Submit' }).click();
+
+			await expect(formPage.getByText('Your response has been recorded')).toBeVisible();
+			await formPage.close();
+
+			await n8n.canvas.openNode('Wait');
+			await expect(n8n.ndv.outputPanel.getTbodyCell(0, 0)).toContainText('test value');
+		});
+	});
+});
diff --git a/packages/testing/playwright/tests/e2e/api/waiting-endpoint-security.spec.ts b/packages/testing/playwright/tests/e2e/api/waiting-endpoint-security.spec.ts
new file mode 100644
index 00000000000..6590b10153b
--- /dev/null
+++ b/packages/testing/playwright/tests/e2e/api/waiting-endpoint-security.spec.ts
@@ -0,0 +1,142 @@
+import flatted from 'flatted';
+
+import { test, expect } from '../../../fixtures/base';
+
+/**
+ * Security tests for waiting endpoint signature validation.
+ *
+ * These tests verify that form-waiting and webhook-waiting endpoints
+ * require valid HMAC signatures to prevent session interception attacks.
+ *
+ * Note: Send and Wait approval flow tests are in nodes/send-and-wait.spec.ts
+ */
+test.describe('Waiting Endpoint Security', () => {
+	test.describe('webhook-waiting signature validation', () => {
+		test('should reject unsigned and tampered requests, accept valid signature', async ({
+			api,
+		}) => {
+			const { webhookPath, workflowId } = await api.workflows.importWorkflowFromFile(
+				'wait-webhook-resume.json',
+			);
+
+			const triggerResponse = await api.webhooks.trigger(`/webhook/${webhookPath}`, {
+				method: 'POST',
+			});
+			expect(triggerResponse.ok()).toBe(true);
+
+			const execution = await api.workflows.waitForWorkflowStatus(workflowId, 'waiting');
+			expect(execution).toBeDefined();
+
+			const unsignedResponse = await api.webhooks.trigger(`/webhook-waiting/${execution.id}`, {
+				maxNotFoundRetries: 0,
+			});
+			expect(unsignedResponse.status()).toBe(401);
+
+			const tamperedResponse = await api.webhooks.trigger(
+				`/webhook-waiting/${execution.id}?signature=tampered_invalid_signature_abc123`,
+				{ maxNotFoundRetries: 0 },
+			);
+			expect(tamperedResponse.status()).toBe(401);
+
+			const fullExecution = await api.workflows.getExecution(execution.id);
+			expect(fullExecution.data).toBeDefined();
+
+			const executionData = flatted.parse(fullExecution.data);
+			const captureNodeOutput = executionData.resultData.runData['Capture Resume URL'];
+			expect(captureNodeOutput).toBeDefined();
+
+			const resumeUrl = captureNodeOutput[0].data.main[0][0].json.resumeUrl;
+			expect(resumeUrl).toBeDefined();
+			expect(resumeUrl).toContain('signature=');
+
+			// Accept valid signature
+			const urlObj = new URL(resumeUrl);
+			const signedPath = `${urlObj.pathname}${urlObj.search}`;
+
+			const signedResponse = await api.webhooks.trigger(signedPath, {
+				maxNotFoundRetries: 0,
+			});
+			expect(signedResponse.ok()).toBe(true);
+
+			const completedExecution = await api.workflows.waitForWorkflowStatus(
+				workflowId,
+				'success',
+				10000,
+			);
+			expect(completedExecution.status).toBe('success');
+		});
+	});
+
+	test.describe('form-waiting signature validation', () => {
+		test('should reject unsigned and tampered requests, accept valid signature', async ({
+			n8n,
+		}) => {
+			await n8n.start.fromBlankCanvas();
+
+			await n8n.canvas.clickNodeCreatorPlusButton();
+			await n8n.canvas.nodeCreatorItemByName('On form submission').click();
+			await n8n.ndv.fillParameterInput('Form Title', 'Security Test Form');
+			await n8n.ndv.fillParameterInput('Form Description', 'Testing signature validation');
+			await n8n.ndv.addFixedCollectionItem();
+			await n8n.ndv.fillParameterInputByName('fieldLabel', 'First field');
+			await n8n.ndv.clickBackToCanvasButton();
+
+			await n8n.canvas.addNode('n8n Form', { closeNDV: false, action: 'Next Form Page' });
+			await n8n.ndv.addFixedCollectionItem();
+			await n8n.ndv.fillParameterInputByName('fieldLabel', 'Second field');
+			await n8n.ndv.clickBackToCanvasButton();
+
+			await n8n.canvas.clickExecuteWorkflowButton();
+			await expect(n8n.canvas.getExecuteWorkflowButton()).toHaveText('Waiting for trigger event');
+
+			await n8n.canvas.openNode('On form submission');
+			const formUrlLocator = n8n.page.locator('text=/form-test\\/[a-f0-9-]+/');
+			await expect(formUrlLocator).toHaveText(/form-test\/[a-f0-9-]+/);
+			const formUrl = await formUrlLocator.textContent();
+
+			const formPage = await n8n.page.context().newPage();
+			await formPage.goto(formUrl!);
+			await formPage.getByLabel('First field').fill('test value');
+
+			const responsePromise = formPage.waitForResponse(
+				(resp) => resp.url().includes('/form-test/') && resp.request().method() === 'POST',
+			);
+			await formPage.getByRole('button', { name: 'Submit' }).click();
+
+			const postResponse = await responsePromise;
+			const responseBody = await postResponse.json();
+
+			expect(responseBody.formWaitingUrl).toBeDefined();
+			const waitingUrl: string = responseBody.formWaitingUrl;
+			expect(waitingUrl).toContain('signature=');
+
+			const urlObj = new URL(waitingUrl);
+			const executionId = urlObj.pathname.split('/').pop()!;
+			const validSignature = urlObj.searchParams.get('signature');
+
+			await expect(async () => {
+				const execution = await n8n.api.workflows.getExecution(executionId);
+				expect(execution.status).toBe('waiting');
+			}).toPass();
+
+			const unsignedResponse = await n8n.api.webhooks.trigger(`/form-waiting/${executionId}`, {
+				maxNotFoundRetries: 0,
+			});
+			expect(unsignedResponse.status()).toBe(401);
+
+			const tamperedResponse = await n8n.api.webhooks.trigger(
+				`/form-waiting/${executionId}?signature=tampered_fake_signature_xyz789`,
+				{ maxNotFoundRetries: 0 },
+			);
+			expect(tamperedResponse.status()).toBe(401);
+
+			const signedResponse = await n8n.api.webhooks.trigger(
+				`/form-waiting/${executionId}?signature=${validSignature}`,
+				{ maxNotFoundRetries: 0 },
+			);
+			expect(signedResponse.ok()).toBe(true);
+
+			await formPage.close();
+		});
+	});
+});
diff --git a/packages/testing/playwright/tests/e2e/nodes/send-and-wait.spec.ts b/packages/testing/playwright/tests/e2e/nodes/send-and-wait.spec.ts
new file mode 100644
index 00000000000..64bb8554652
--- /dev/null
+++ b/packages/testing/playwright/tests/e2e/nodes/send-and-wait.spec.ts
@@ -0,0 +1,270 @@
+import type { Page } from '@playwright/test';
+import type { ProxyServer } from 'n8n-containers/services/proxy';
+import type { IWorkflowBase } from 'n8n-workflow';
+
+import { test as base, expect } from '../../../fixtures/base';
+import type { CredentialResponse } from '../../../services/credential-api-helper';
+
+interface SlackBlock {
+	type: string;
+	elements?: Array<{ type: string; url?: string }>;
+}
+
+type SendAndWaitFixtures = {
+	slackCredential: CredentialResponse;
+	slackProxySetup: undefined;
+};
+
+const test = base.extend<SendAndWaitFixtures>({
+	slackProxySetup: [
+		async ({ services }, use) => {
+			await services.proxy.clearAllExpectations();
+			await services.proxy.createExpectation({
+				httpRequest: { method: 'POST', path: '/api/chat.postMessage' },
+				httpResponse: {
+					statusCode: 200,
+					headers: { 'Content-Type': ['application/json'] },
+					body: JSON.stringify({
+						ok: true,
+						channel: 'C12345678',
+						ts: '1234567890.123456',
+						message: { text: 'Approval Request' },
+					}),
+				},
+				times: { unlimited: true },
+			});
+			await use(undefined);
+		},
+		{ auto: true },
+	],
+
+	slackCredential: async ({ n8n }, use) => {
+		const credential = await n8n.api.credentials.createCredential({
+			name: `Slack Test ${crypto.randomUUID().slice(0, 8)}`,
+			type: 'slackApi',
+			data: { accessToken: 'xoxb-fake-token-for-testing' },
+		});
+		await use(credential);
+		await n8n.api.credentials.deleteCredential(credential.id);
+	},
+});
+
+const NOT_A_BOT_USER_AGENT =
+	'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0';
+
+function getBlocksFromBody(body: { blocks?: SlackBlock[] } | undefined): SlackBlock[] | null {
+	return body?.blocks ?? null;
+}
+
+function extractApprovalUrls(blocks: SlackBlock[]): { approveUrl?: string; rejectUrl?: string } {
+	const buttons = blocks
+		.filter((b) => b.type === 'actions' && b.elements)
+		.flatMap((b) => b.elements?.filter((el) => el.type === 'button' && el.url) ?? []);
+
+	return {
+		approveUrl: buttons.find((btn) => btn.url?.includes('approved=true'))?.url,
+		rejectUrl: buttons.find((btn) => btn.url?.includes('approved=false'))?.url,
+	};
+}
+
+function extractFormUrl(blocks: SlackBlock[]): string | undefined {
+	const buttons = blocks
+		.filter((b) => b.type === 'actions' && b.elements)
+		.flatMap((b) => b.elements?.filter((el) => el.type === 'button' && el.url) ?? []);
+
+	// For custom forms, there's a single button with the form URL (contains signature)
+	return buttons.find((btn) => btn.url?.includes('signature='))?.url;
+}
+
+async function waitForSlackRequest(proxyServer: ProxyServer) {
+	await expect(async () => {
+		const requests = await proxyServer.getAllRequestsMade();
+		const slackRequest = requests.find(
+			(r) => r.httpRequest?.path === '/api/chat.postMessage' && r.httpRequest?.method === 'POST',
+		);
+		expect(slackRequest).toBeDefined();
+	}).toPass();
+}
+
+async function getApprovalUrlsFromSlack(proxyServer: ProxyServer) {
+	const requests = await proxyServer.getAllRequestsMade();
+	const slackRequest = requests.find(
+		(r) => r.httpRequest?.path === '/api/chat.postMessage' && r.httpRequest?.method === 'POST',
+	);
+	const blocks = getBlocksFromBody(slackRequest?.httpRequest?.body as { blocks?: SlackBlock[] });
+	return extractApprovalUrls(blocks!);
+}
+
+async function getFormUrlFromSlack(proxyServer: ProxyServer) {
+	const requests = await proxyServer.getAllRequestsMade();
+	const slackRequest = requests.find(
+		(r) => r.httpRequest?.path === '/api/chat.postMessage' && r.httpRequest?.method === 'POST',
+	);
+	const blocks = getBlocksFromBody(slackRequest?.httpRequest?.body as { blocks?: SlackBlock[] });
+	return extractFormUrl(blocks!);
+}
+
+async function clickApprovalLink(page: Page, url: string) {
+	console.log('Clicking approval URL:', url);
+	const response = await page.request.get(url, {
+		headers: { 'User-Agent': NOT_A_BOT_USER_AGENT },
+	});
+	console.log('Response status:', response.status());
+	const body = await response.text();
+	console.log('Response body preview:', body.substring(0, 500));
+	expect(response.ok()).toBe(true);
+}
+
+function withSlackCredential(credential: CredentialResponse) {
+	return (workflow: Partial<IWorkflowBase>) => {
+		workflow.nodes?.forEach((node) => {
+			if (node.type === 'n8n-nodes-base.slack') {
+				node.credentials = { slackApi: { id: credential.id, name: credential.name } };
+			}
+		});
+		return workflow;
+	};
+}
+
+test.use({ capability: 'proxy' });
+
+test.describe('Send and Wait @capability:proxy', () => {
+	test('should complete approval flow when clicking approve URL', async ({
+		n8n,
+		services,
+		slackCredential,
+	}) => {
+		const { workflowId } = await n8n.api.workflows.importWorkflowFromFile(
+			'send-and-wait-approval.json',
+			{ transform: withSlackCredential(slackCredential) },
+		);
+		await n8n.navigate.toWorkflow(workflowId);
+
+		await n8n.canvas.clickExecuteWorkflowButton('Manual Trigger');
+		await waitForSlackRequest(services.proxy);
+		await n8n.api.workflows.waitForWorkflowStatus(workflowId, 'waiting', 10000);
+
+		const { approveUrl } = await getApprovalUrlsFromSlack(services.proxy);
+		expect(approveUrl).toContain('signature=');
+
+		await clickApprovalLink(n8n.page, approveUrl!);
+
+		await expect(n8n.canvas.getNodeSuccessStatusIndicator('Capture Result')).toBeVisible();
+	});
+
+	test('should complete rejection flow when clicking reject URL', async ({
+		n8n,
+		services,
+		slackCredential,
+	}) => {
+		const { workflowId } = await n8n.api.workflows.importWorkflowFromFile(
+			'send-and-wait-approval.json',
+			{ transform: withSlackCredential(slackCredential) },
+		);
+		await n8n.navigate.toWorkflow(workflowId);
+
+		await n8n.canvas.clickExecuteWorkflowButton('Manual Trigger');
+		await waitForSlackRequest(services.proxy);
+		await n8n.api.workflows.waitForWorkflowStatus(workflowId, 'waiting', 10000);
+
+		const { rejectUrl } = await getApprovalUrlsFromSlack(services.proxy);
+		expect(rejectUrl).toContain('signature=');
+
+		await clickApprovalLink(n8n.page, rejectUrl!);
+
+		await expect(n8n.canvas.getNodeSuccessStatusIndicator('Capture Result')).toBeVisible();
+	});
+
+	test('should reject requests with invalid signatures', async ({
+		n8n,
+		services,
+		slackCredential,
+	}) => {
+		const { workflowId } = await n8n.api.workflows.importWorkflowFromFile(
+			'send-and-wait-approval.json',
+			{ transform: withSlackCredential(slackCredential) },
+		);
+		await n8n.navigate.toWorkflow(workflowId);
+
+		await n8n.canvas.clickExecuteWorkflowButton('Manual Trigger');
+		await waitForSlackRequest(services.proxy);
+
+		const execution = await n8n.api.workflows.waitForWorkflowStatus(workflowId, 'waiting', 10000);
+
+		const unsignedResponse = await n8n.api.webhooks.trigger(
+			`/webhook-waiting/${execution.id}/slack-send-wait`,
+		);
+		expect(unsignedResponse.status()).toBe(401);
+
+		const tamperedResponse = await n8n.api.webhooks.trigger(
+			`/webhook-waiting/${execution.id}/slack-send-wait?approved=true&signature=tampered`,
+		);
+		expect(tamperedResponse.status()).toBe(401);
+	});
+
+	test('should complete form submission flow', async ({ n8n, services, slackCredential }) => {
+		const { workflowId } = await n8n.api.workflows.importWorkflowFromFile(
+			'send-and-wait-form.json',
+			{ transform: withSlackCredential(slackCredential) },
+		);
+		await n8n.navigate.toWorkflow(workflowId);
+
+		await n8n.canvas.clickExecuteWorkflowButton();
+		await waitForSlackRequest(services.proxy);
+		await n8n.api.workflows.waitForWorkflowStatus(workflowId, 'waiting', 10000);
+
+		const formUrl = await getFormUrlFromSlack(services.proxy);
+		expect(formUrl).toContain('signature=');
+
+		const formPage = await n8n.page.context().newPage();
+		await formPage.goto(formUrl!);
+
+		await expect(formPage.getByText('Test Form')).toBeVisible({ timeout: 10000 });
+		await expect(formPage.getByText('Please provide your information')).toBeVisible();
+
+		await formPage.getByLabel('Name').fill('John Doe');
+		await formPage.getByLabel('Email').fill('john@example.com');
+		await formPage.getByLabel('Comments').fill('This is a test comment');
+
+		await formPage.getByRole('button', { name: 'Submit Form' }).click();
+
+		await expect(formPage.getByText('Got it, thanks')).toBeVisible({ timeout: 10000 });
+
+		await formPage.close();
+
+		await expect(n8n.canvas.getNodeSuccessStatusIndicator('Capture Result')).toBeVisible();
+
+		await n8n.canvas.openNode('Capture Result');
+		await expect(n8n.ndv.outputPanel.getTbodyCell(0, 0)).toHaveText('John Doe');
+		await expect(n8n.ndv.outputPanel.getTbodyCell(0, 1)).toHaveText('john@example.com');
+		await expect(n8n.ndv.outputPanel.getTbodyCell(0, 2)).toHaveText('This is a test comment');
+	});
+
+	test('should complete approval flow in production mode (activated workflow)', async ({
+		n8n,
+		services,
+		slackCredential,
+	}) => {
+		const { workflowId, webhookPath } = await n8n.api.workflows.importWorkflowFromFile(
+			'send-and-wait-approval.json',
+			{ transform: withSlackCredential(slackCredential) },
+		);
+
+		await n8n.navigate.toWorkflow(workflowId);
+		await n8n.canvas.publishWorkflow();
+
+		const triggerResponse = await n8n.api.webhooks.trigger(`/webhook/${webhookPath}`);
+		expect(triggerResponse.ok()).toBe(true);
+
+		await waitForSlackRequest(services.proxy);
+		await n8n.api.workflows.waitForWorkflowStatus(workflowId, 'waiting', 10000);
+
+		const { approveUrl } = await getApprovalUrlsFromSlack(services.proxy);
+		expect(approveUrl).toContain('signature=');
+
+		await clickApprovalLink(n8n.page, approveUrl!);
+
+		const execution = await n8n.api.workflows.waitForWorkflowStatus(workflowId, 'success', 10000);
+		expect(execution.status).toBe('success');
+	});
+});
diff --git a/packages/testing/playwright/tests/e2e/workflows/editor/subworkflows/wait.spec.ts b/packages/testing/playwright/tests/e2e/workflows/editor/subworkflows/wait.spec.ts
index 21f507df806..0f37c5187bc 100644
--- a/packages/testing/playwright/tests/e2e/workflows/editor/subworkflows/wait.spec.ts
+++ b/packages/testing/playwright/tests/e2e/workflows/editor/subworkflows/wait.spec.ts
@@ -3,9 +3,25 @@ import { readFileSync } from 'fs';
 import type { IWorkflowBase } from 'n8n-workflow';
 
 import { test, expect } from '../../../../../fixtures/base';
+import type { ApiHelpers } from '../../../../../services/api-helper';
 import { resolveFromRoot } from '../../../../../utils/path-helper';
 import { retryUntil } from '../../../../../utils/retry-utils';
 
+/**
+ * Extracts the resume URL from an execution's node output.
+ */
+async function getResumeUrl(
+	api: ApiHelpers,
+	executionId: string,
+	nodeName: string,
+	fieldName: string,
+): Promise<string> {
+	const fullExecution = await api.workflows.getExecution(executionId);
+	const executionData = flatted.parse(fullExecution.data);
+	const nodeOutput = executionData.resultData.runData[nodeName];
+	return nodeOutput[0].data.main[0][0].json[fieldName] as string;
+}
+
 test.describe(
 	'Parent that does not wait for sub-workflow',
 	{
@@ -132,10 +148,10 @@ test.describe('CAT-1801: Parent receives correct data from child with wait node'
 			{ timeoutMs: 10000, intervalMs: 200 },
 		);
 
-		// Trigger the wait webhook to resume child using child execution ID
-		const waitWebhookResponse = await api.webhooks.trigger(
-			`/webhook-waiting/${childExecution!.id}`,
-		);
+		// Trigger the wait webhook to resume child using the resume URL
+		// The child workflow captures $execution.resumeUrl in the "Edit Fields" node's "webhook" field
+		const resumeUrl = await getResumeUrl(api, childExecution!.id, 'Edit Fields', 'webhook');
+		const waitWebhookResponse = await api.webhooks.trigger(resumeUrl);
 		expect(waitWebhookResponse.ok()).toBe(true);
 
 		// Wait for parent to complete
@@ -193,8 +209,14 @@ test.describe('CAT-1929: Parent should not resume until child with multiple wait
 		// Verify parent is also waiting at this point
 		await api.workflows.waitForWorkflowStatus(parentWorkflowId, 'waiting');
 
-		// Resume first wait node
-		const firstWaitResponse = await api.webhooks.trigger(`/webhook-waiting/${childExecution.id}`);
+		// Resume first wait node using URL from "Edit Fields - Before First Wait" node
+		const firstResumeUrl = await getResumeUrl(
+			api,
+			childExecution.id,
+			'Edit Fields - Before First Wait',
+			'webhook1',
+		);
+		const firstWaitResponse = await api.webhooks.trigger(firstResumeUrl);
 		expect(firstWaitResponse.ok()).toBe(true);
 
 		// Wait for child to reach the second wait node
@@ -207,8 +229,14 @@ test.describe('CAT-1929: Parent should not resume until child with multiple wait
 		);
 		expect(parentExecAfterFirstWait.status).toBe('waiting');
 
-		// Resume second wait node
-		const secondWaitResponse = await api.webhooks.trigger(`/webhook-waiting/${childExecution.id}`);
+		// Resume second wait node using URL from "Edit Fields - After First Wait" node
+		const secondResumeUrl = await getResumeUrl(
+			api,
+			childExecution.id,
+			'Edit Fields - After First Wait',
+			'webhook2',
+		);
+		const secondWaitResponse = await api.webhooks.trigger(secondResumeUrl);
 		expect(secondWaitResponse.ok()).toBe(true);
 
 		// Now parent should complete
diff --git a/packages/testing/playwright/workflows/send-and-wait-approval.json b/packages/testing/playwright/workflows/send-and-wait-approval.json
new file mode 100644
index 00000000000..95ccbfaca2e
--- /dev/null
+++ b/packages/testing/playwright/workflows/send-and-wait-approval.json
@@ -0,0 +1,126 @@
+{
+	"name": "Send and Wait Approval Test",
+	"nodes": [
+		{
+			"parameters": {},
+			"id": "manual-trigger",
+			"name": "Manual Trigger",
+			"type": "n8n-nodes-base.manualTrigger",
+			"typeVersion": 1,
+			"position": [300, 200]
+		},
+		{
+			"parameters": {
+				"path": "send-and-wait-approval-test",
+				"options": {}
+			},
+			"id": "webhook-trigger",
+			"name": "Webhook",
+			"type": "n8n-nodes-base.webhook",
+			"typeVersion": 2,
+			"position": [300, 400],
+			"webhookId": "send-and-wait-approval-webhook"
+		},
+		{
+			"parameters": {
+				"authentication": "accessToken",
+				"resource": "message",
+				"operation": "sendAndWait",
+				"select": "channel",
+				"channelId": {
+					"__rl": true,
+					"value": "C12345678",
+					"mode": "id"
+				},
+				"subject": "Approval Request",
+				"message": "Please approve this test request",
+				"responseType": "approval",
+				"approvalOptions": {
+					"values": {
+						"approvalType": "double",
+						"approveLabel": "Approve",
+						"buttonApprovalStyle": "primary",
+						"disapproveLabel": "Reject",
+						"buttonDisapprovalStyle": "secondary"
+					}
+				},
+				"options": {}
+			},
+			"id": "slack-send-wait",
+			"name": "Slack",
+			"type": "n8n-nodes-base.slack",
+			"typeVersion": 2.2,
+			"position": [500, 300],
+			"credentials": {
+				"slackApi": {
+					"id": "PLACEHOLDER_CREDENTIAL_ID",
+					"name": "Slack Test Credential"
+				}
+			}
+		},
+		{
+			"parameters": {
+				"assignments": {
+					"assignments": [
+						{
+							"id": "result-field",
+							"name": "approvalResult",
+							"value": "={{ $json.data.approved }}",
+							"type": "boolean"
+						}
+					]
+				},
+				"options": {}
+			},
+			"id": "capture-result",
+			"name": "Capture Result",
+			"type": "n8n-nodes-base.set",
+			"typeVersion": 3.3,
+			"position": [700, 300]
+		}
+	],
+	"connections": {
+		"Manual Trigger": {
+			"main": [
+				[
+					{
+						"node": "Slack",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		},
+		"Webhook": {
+			"main": [
+				[
+					{
+						"node": "Slack",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		},
+		"Slack": {
+			"main": [
+				[
+					{
+						"node": "Capture Result",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		}
+	},
+	"settings": {
+		"executionOrder": "v1"
+	},
+	"staticData": null,
+	"meta": null,
+	"pinData": {},
+	"versionId": null,
+	"triggerCount": 0,
+	"tags": []
+}
diff --git a/packages/testing/playwright/workflows/send-and-wait-form.json b/packages/testing/playwright/workflows/send-and-wait-form.json
new file mode 100644
index 00000000000..643a146b400
--- /dev/null
+++ b/packages/testing/playwright/workflows/send-and-wait-form.json
@@ -0,0 +1,130 @@
+{
+	"name": "Send and Wait Form Test",
+	"nodes": [
+		{
+			"parameters": {},
+			"id": "manual-trigger",
+			"name": "Manual Trigger",
+			"type": "n8n-nodes-base.manualTrigger",
+			"typeVersion": 1,
+			"position": [300, 300]
+		},
+		{
+			"parameters": {
+				"authentication": "accessToken",
+				"resource": "message",
+				"operation": "sendAndWait",
+				"select": "channel",
+				"channelId": {
+					"__rl": true,
+					"value": "C12345678",
+					"mode": "id"
+				},
+				"subject": "Form Request",
+				"message": "Please fill out this form",
+				"responseType": "customForm",
+				"defineForm": "fields",
+				"formFields": {
+					"values": [
+						{
+							"fieldLabel": "Name",
+							"fieldType": "text",
+							"requiredField": true
+						},
+						{
+							"fieldLabel": "Email",
+							"fieldType": "email",
+							"requiredField": true
+						},
+						{
+							"fieldLabel": "Comments",
+							"fieldType": "textarea",
+							"requiredField": false
+						}
+					]
+				},
+				"options": {
+					"responseFormTitle": "Test Form",
+					"responseFormDescription": "Please provide your information",
+					"responseFormButtonLabel": "Submit Form"
+				}
+			},
+			"id": "slack-send-wait",
+			"name": "Slack",
+			"type": "n8n-nodes-base.slack",
+			"typeVersion": 2.2,
+			"position": [500, 300],
+			"credentials": {
+				"slackApi": {
+					"id": "PLACEHOLDER_CREDENTIAL_ID",
+					"name": "Slack Test Credential"
+				}
+			}
+		},
+		{
+			"parameters": {
+				"assignments": {
+					"assignments": [
+						{
+							"id": "name-field",
+							"name": "submittedName",
+							"value": "={{ $json.data.Name }}",
+							"type": "string"
+						},
+						{
+							"id": "email-field",
+							"name": "submittedEmail",
+							"value": "={{ $json.data.Email }}",
+							"type": "string"
+						},
+						{
+							"id": "comments-field",
+							"name": "submittedComments",
+							"value": "={{ $json.data.Comments }}",
+							"type": "string"
+						}
+					]
+				},
+				"options": {}
+			},
+			"id": "capture-result",
+			"name": "Capture Result",
+			"type": "n8n-nodes-base.set",
+			"typeVersion": 3.3,
+			"position": [700, 300]
+		}
+	],
+	"connections": {
+		"Manual Trigger": {
+			"main": [
+				[
+					{
+						"node": "Slack",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		},
+		"Slack": {
+			"main": [
+				[
+					{
+						"node": "Capture Result",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		}
+	},
+	"settings": {
+		"executionOrder": "v1"
+	},
+	"staticData": null,
+	"meta": null,
+	"pinData": {},
+	"versionId": null,
+	"triggerCount": 0,
+	"tags": []
+}
diff --git a/packages/testing/playwright/workflows/wait-form-resume.json b/packages/testing/playwright/workflows/wait-form-resume.json
new file mode 100644
index 00000000000..b9f24e0c5d9
--- /dev/null
+++ b/packages/testing/playwright/workflows/wait-form-resume.json
@@ -0,0 +1,124 @@
+{
+	"name": "Wait Form Resume Test",
+	"active": true,
+	"nodes": [
+		{
+			"parameters": {
+				"httpMethod": "POST",
+				"path": "start-wait-form-test",
+				"options": {}
+			},
+			"id": "webhook-trigger",
+			"name": "Webhook",
+			"type": "n8n-nodes-base.webhook",
+			"typeVersion": 1,
+			"position": [300, 300],
+			"webhookId": "start-wait-form-test-id"
+		},
+		{
+			"parameters": {
+				"assignments": {
+					"assignments": [
+						{
+							"id": "capture-form-url",
+							"name": "formUrl",
+							"value": "={{ $execution.resumeFormUrl }}",
+							"type": "string"
+						}
+					]
+				},
+				"options": {}
+			},
+			"id": "capture-url",
+			"name": "Capture Form URL",
+			"type": "n8n-nodes-base.set",
+			"typeVersion": 3.3,
+			"position": [500, 300]
+		},
+		{
+			"parameters": {
+				"resume": "form",
+				"formTitle": "Test Form",
+				"formFields": {
+					"values": [
+						{
+							"fieldLabel": "Name",
+							"fieldType": "text",
+							"requiredField": true
+						}
+					]
+				},
+				"options": {}
+			},
+			"id": "wait-form",
+			"name": "Wait for Form",
+			"type": "n8n-nodes-base.wait",
+			"typeVersion": 1.1,
+			"position": [700, 300]
+		},
+		{
+			"parameters": {
+				"assignments": {
+					"assignments": [
+						{
+							"id": "result",
+							"name": "result",
+							"value": "Form submitted successfully",
+							"type": "string"
+						}
+					]
+				},
+				"options": {}
+			},
+			"id": "result",
+			"name": "Result",
+			"type": "n8n-nodes-base.set",
+			"typeVersion": 3.3,
+			"position": [900, 300]
+		}
+	],
+	"connections": {
+		"Webhook": {
+			"main": [
+				[
+					{
+						"node": "Capture Form URL",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		},
+		"Capture Form URL": {
+			"main": [
+				[
+					{
+						"node": "Wait for Form",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		},
+		"Wait for Form": {
+			"main": [
+				[
+					{
+						"node": "Result",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		}
+	},
+	"settings": {
+		"executionOrder": "v1"
+	},
+	"staticData": null,
+	"meta": null,
+	"pinData": {},
+	"versionId": null,
+	"triggerCount": 0,
+	"tags": []
+}
diff --git a/packages/testing/playwright/workflows/wait-webhook-resume.json b/packages/testing/playwright/workflows/wait-webhook-resume.json
new file mode 100644
index 00000000000..9e09445025a
--- /dev/null
+++ b/packages/testing/playwright/workflows/wait-webhook-resume.json
@@ -0,0 +1,115 @@
+{
+	"name": "Wait Webhook Resume Test",
+	"active": true,
+	"nodes": [
+		{
+			"parameters": {
+				"httpMethod": "POST",
+				"path": "start-wait-test",
+				"options": {}
+			},
+			"id": "webhook-trigger",
+			"name": "Webhook",
+			"type": "n8n-nodes-base.webhook",
+			"typeVersion": 1,
+			"position": [300, 300],
+			"webhookId": "start-wait-test-id"
+		},
+		{
+			"parameters": {
+				"assignments": {
+					"assignments": [
+						{
+							"id": "capture-resume-url",
+							"name": "resumeUrl",
+							"value": "={{ $execution.resumeUrl }}",
+							"type": "string"
+						}
+					]
+				},
+				"options": {}
+			},
+			"id": "capture-url",
+			"name": "Capture Resume URL",
+			"type": "n8n-nodes-base.set",
+			"typeVersion": 3.3,
+			"position": [400, 300]
+		},
+		{
+			"parameters": {
+				"resume": "webhook",
+				"options": {}
+			},
+			"id": "wait-node",
+			"name": "Wait",
+			"type": "n8n-nodes-base.wait",
+			"typeVersion": 1.1,
+			"position": [600, 300],
+			"webhookId": "wait-webhook-id"
+		},
+		{
+			"parameters": {
+				"assignments": {
+					"assignments": [
+						{
+							"id": "result-field",
+							"name": "result",
+							"value": "Wait completed successfully",
+							"type": "string"
+						}
+					]
+				},
+				"options": {}
+			},
+			"id": "set-result",
+			"name": "Set Result",
+			"type": "n8n-nodes-base.set",
+			"typeVersion": 3.3,
+			"position": [800, 300]
+		}
+	],
+	"connections": {
+		"Webhook": {
+			"main": [
+				[
+					{
+						"node": "Capture Resume URL",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		},
+		"Capture Resume URL": {
+			"main": [
+				[
+					{
+						"node": "Wait",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		},
+		"Wait": {
+			"main": [
+				[
+					{
+						"node": "Set Result",
+						"type": "main",
+						"index": 0
+					}
+				]
+			]
+		}
+	},
+	"settings": {
+		"executionOrder": "v1"
+	},
+	"staticData": null,
+	"meta": null,
+	"pinData": {},
+	"versionId": null,
+	"triggerCount": 0,
+	"tags": []
+}
diff --git a/packages/workflow/src/index.ts b/packages/workflow/src/index.ts
index dea6a000e1e..b1a089048af 100644
--- a/packages/workflow/src/index.ts
+++ b/packages/workflow/src/index.ts
@@ -57,6 +57,7 @@ export {
 	isCommunityPackageName,
 	dedupe,
 	sanitizeFilename,
+	generateSecureToken,
 } from './utils';
 export {
 	isINodeProperties,
diff --git a/packages/workflow/src/interfaces.ts b/packages/workflow/src/interfaces.ts
index d136d1dd707..7adf55860dc 100644
--- a/packages/workflow/src/interfaces.ts
+++ b/packages/workflow/src/interfaces.ts
@@ -963,8 +963,6 @@ export interface FunctionsBase {
 	getInstanceId(): string;
 	/** Get the waiting resume url signed with the signature token */
 	getSignedResumeUrl(parameters?: Record<string, string>): string;
-	/** Set requirement in the execution for signature token validation */
-	setSignatureValidationRequired(): void;
 	getChildNodes(
 		nodeName: string,
 		options?: { includeNodeParameters?: boolean },
@@ -2754,6 +2752,18 @@ export interface ITaskMetadata {
 		/** Time saved in minutes */
 		minutes: number;
 	};
+
+	/**
+	 * Signed URL for resuming form-based waiting executions.
+	 * Contains token for security validation.
+	 */
+	resumeFormUrl?: string;
+
+	/**
+	 * Signed URL for resuming webhook-based waiting executions.
+	 * Contains token for security validation.
+	 */
+	resumeUrl?: string;
 }
 
 /** The data that gets returned when a node execution starts */
diff --git a/packages/workflow/src/run-execution-data-factory.ts b/packages/workflow/src/run-execution-data-factory.ts
index 525109288da..60003ff5aef 100644
--- a/packages/workflow/src/run-execution-data-factory.ts
+++ b/packages/workflow/src/run-execution-data-factory.ts
@@ -14,6 +14,7 @@ import type {
 } from './interfaces';
 import type { IRunExecutionData } from './run-execution-data/run-execution-data';
 import type { IRunExecutionDataV1 } from './run-execution-data/run-execution-data.v1';
+import { generateSecureToken } from './utils';
 
 export interface CreateFullRunExecutionDataOptions {
 	startData?: {
@@ -40,12 +41,39 @@ export interface CreateFullRunExecutionDataOptions {
 		runtimeData?: IExecutionContext;
 	} | null;
 	parentExecution?: RelatedExecution;
-	validateSignature?: boolean;
+	resumeToken?: string;
 	waitTill?: Date;
 	manualData?: IRunExecutionData['manualData'];
 	pushRef?: IRunExecutionData['pushRef'];
 }
 
+function buildResultData(
+	resultData: CreateFullRunExecutionDataOptions['resultData'],
+): IRunExecutionDataV1['resultData'] {
+	return {
+		error: resultData?.error,
+		// @ts-expect-error CAT-752
+		runData: resultData?.runData === null ? undefined : (resultData?.runData ?? {}),
+		pinData: resultData?.pinData,
+		lastNodeExecuted: resultData?.lastNodeExecuted,
+		metadata: resultData?.metadata,
+	};
+}
+
+function buildExecutionData(
+	executionData: CreateFullRunExecutionDataOptions['executionData'],
+): IRunExecutionDataV1['executionData'] {
+	if (executionData === null) return undefined;
+	return {
+		contextData: executionData?.contextData ?? {},
+		nodeExecutionStack: executionData?.nodeExecutionStack ?? [],
+		metadata: executionData?.metadata ?? {},
+		waitingExecution: executionData?.waitingExecution ?? {},
+		waitingExecutionSource: executionData?.waitingExecutionSource ?? {},
+		runtimeData: executionData?.runtimeData,
+	};
+}
+
 /**
  * Creates a complete IRunExecutionData object with all properties initialized.
  * You can pass `executionData: null` and `resultData.runData: null` if you
@@ -57,28 +85,10 @@ export function createRunExecutionData(
 	return {
 		version: 1,
 		startData: options.startData ?? {},
-		resultData: {
-			error: options.resultData?.error,
-			// @ts-expect-error CAT-752
-			runData:
-				options.resultData?.runData === null ? undefined : (options.resultData?.runData ?? {}),
-			pinData: options.resultData?.pinData,
-			lastNodeExecuted: options.resultData?.lastNodeExecuted,
-			metadata: options.resultData?.metadata,
-		},
-		executionData:
-			options.executionData === null
-				? undefined
-				: {
-						contextData: options.executionData?.contextData ?? {},
-						nodeExecutionStack: options.executionData?.nodeExecutionStack ?? [],
-						metadata: options.executionData?.metadata ?? {},
-						waitingExecution: options.executionData?.waitingExecution ?? {},
-						waitingExecutionSource: options.executionData?.waitingExecutionSource ?? {},
-						runtimeData: options.executionData?.runtimeData,
-					},
+		resultData: buildResultData(options.resultData),
+		executionData: buildExecutionData(options.executionData),
 		parentExecution: options.parentExecution,
-		validateSignature: options.validateSignature,
+		resumeToken: options.resumeToken ?? generateSecureToken(),
 		waitTill: options.waitTill,
 		manualData: options.manualData,
 		pushRef: options.pushRef,
diff --git a/packages/workflow/src/run-execution-data/run-execution-data.v0.ts b/packages/workflow/src/run-execution-data/run-execution-data.v0.ts
index 6a9bcf05407..4ba1303130c 100644
--- a/packages/workflow/src/run-execution-data/run-execution-data.v0.ts
+++ b/packages/workflow/src/run-execution-data/run-execution-data.v0.ts
@@ -41,10 +41,10 @@ export interface IRunExecutionDataV0 {
 	};
 	parentExecution?: RelatedExecution;
 	/**
-	 * This is used to prevent breaking change
-	 * for waiting executions started before signature validation was added
+	 * Random token used to validate waiting webhook/form requests.
+	 * Generated when execution starts. Presence signals validation is required.
 	 */
-	validateSignature?: boolean;
+	resumeToken?: string;
 	waitTill?: Date;
 	pushRef?: string;
 
diff --git a/packages/workflow/src/run-execution-data/run-execution-data.v1.ts b/packages/workflow/src/run-execution-data/run-execution-data.v1.ts
index d1b44b410a0..1a076f27510 100644
--- a/packages/workflow/src/run-execution-data/run-execution-data.v1.ts
+++ b/packages/workflow/src/run-execution-data/run-execution-data.v1.ts
@@ -56,10 +56,10 @@ export interface IRunExecutionDataV1 {
 	};
 	parentExecution?: RelatedExecution;
 	/**
-	 * This is used to prevent breaking change
-	 * for waiting executions started before signature validation was added
+	 * Random token used to validate waiting webhook/form requests.
+	 * Generated when execution starts. Presence signals validation is required.
 	 */
-	validateSignature?: boolean;
+	resumeToken?: string;
 	waitTill?: Date;
 	pushRef?: string;
 
diff --git a/packages/workflow/src/utils.ts b/packages/workflow/src/utils.ts
index ae7aca415a5..9ca75c016cb 100644
--- a/packages/workflow/src/utils.ts
+++ b/packages/workflow/src/utils.ts
@@ -510,3 +510,10 @@ export function sanitizeFilename(fileName: string): string {
 
 	return sanitized;
 }
+
+/** Generates a cryptographically secure 64-character hex token (256 bits). */
+export function generateSecureToken(): string {
+	const bytes = new Uint8Array(32);
+	crypto.getRandomValues(bytes);
+	return bytes.reduce((hex, byte) => hex + byte.toString(16).padStart(2, '0'), '');
+}
diff --git a/packages/workflow/test/run-execution-data-factory.test.ts b/packages/workflow/test/run-execution-data-factory.test.ts
index 0b74830e008..b4f572e7dca 100644
--- a/packages/workflow/test/run-execution-data-factory.test.ts
+++ b/packages/workflow/test/run-execution-data-factory.test.ts
@@ -19,7 +19,7 @@ describe('RunExecutionDataFactory', () => {
 				manualData: undefined,
 				parentExecution: undefined,
 				pushRef: undefined,
-				validateSignature: undefined,
+				resumeToken: expect.stringMatching(/^[a-f0-9]{64}$/),
 				waitTill: undefined,
 				resultData: {
 					error: undefined,
@@ -61,7 +61,7 @@ describe('RunExecutionDataFactory', () => {
 					executionId: 'parent-123',
 					workflowId: 'workflow-456',
 				},
-				validateSignature: true,
+				resumeToken: 'custom-token-for-test',
 				waitTill: new Date('2023-01-01'),
 			} satisfies CreateFullRunExecutionDataOptions;
 
@@ -75,7 +75,7 @@ describe('RunExecutionDataFactory', () => {
 			);
 			expect(result.executionData?.runtimeData).toEqual(options.executionData.runtimeData);
 			expect(result.parentExecution).toEqual(options.parentExecution);
-			expect(result.validateSignature).toBe(true);
+			expect(result.resumeToken).toBe('custom-token-for-test');
 			expect(result.waitTill).toEqual(options.waitTill);
 		});
 
diff --git a/packages/workflow/test/run-execution-data/run-execution-data.test.ts b/packages/workflow/test/run-execution-data/run-execution-data.test.ts
index a5f44f472cf..299fb4213d3 100644
--- a/packages/workflow/test/run-execution-data/run-execution-data.test.ts
+++ b/packages/workflow/test/run-execution-data/run-execution-data.test.ts
@@ -24,7 +24,7 @@ describe('migrateRunExecutionData', () => {
 				waitingExecution: {},
 				waitingExecutionSource: null,
 			},
-			validateSignature: true,
+			resumeToken: 'test-token-123',
 			pushRef: 'test-ref',
 		};
 
@@ -74,7 +74,7 @@ describe('migrateRunExecutionData', () => {
 				waitingExecution: {},
 				waitingExecutionSource: null,
 			},
-			validateSignature: true,
+			resumeToken: 'test-token-123',
 			pushRef: 'test-ref',
 		};