CodeShellDev · CodeShellDev · Jan 31, 2026 · Jan 31, 2026 · Jan 31, 2026
diff --git a/.github/templates/README.template.md b/.github/templates/README.template.md
@@ -145,11 +145,11 @@ You can also combine them:
 }
 ```
 
-#### Query-to-Body Injection
+#### URL-to-Body Injection
 
-In some cases you may not be able to access / modify the request body, in that case specify needed values in the request query:
+In some cases you may not be able to access / modify the request body, in that case specify needed values in the request query or path:
 
-`http://sec-signal-api:8880/?@key=value`
+`http://sec-signal-api:8880/@key2=value2/?@key=value`
 
 > [!IMPORTANT]
 > To differentiate **injection queries** from _regular_ queries, **prefix the key with `@`**.
@@ -194,7 +194,7 @@ This means that any valid Go template string will also work in Secured Signal AP
 Go's templating library is used in the following features:
 
 - [Message Templates](#message-templates)
-- [Query-to-Body Injection](#query-to-body-injection)
+- [URL-to-Body Injection](#url-to-body-injection)
 - [Placeholders](#placeholders)
 
 This makes advanced [Message Templates](#message-templates) like this one possible:
@@ -259,9 +259,9 @@ By default adding an endpoint explicitly allows access to it, use `!` to block i
 
 | Config (Allow) | (Block)        |   Result   |     |                   |     |
 | :------------- | :------------- | :--------: | --- | :---------------: | --- |
-| `/v2/send`     | `unset`        |  **all**   | ⛔️ |  **`/v2/send`**   | ✅  |
-| `unset`        | `!/v1/receive` |  **all**   | ✅  | **`/v1/receive`** | ⛔️ |
-| `!/v2*`        | `/v2/send`     | **`/v2*`** | ⛔️ |  **`/v2/send`**   | ✅  |
+| `/v2/send`     | `unset`        |  **all**   | ⛔️  |  **`/v2/send`**   | ✅  |
+| `unset`        | `!/v1/receive` |  **all**   | ✅  | **`/v1/receive`** | ⛔️  |
+| `!/v2*`        | `/v2/send`     | **`/v2*`** | ⛔️  |  **`/v2/send`**   | ✅  |
 
 ### Variables
 

diff --git a/docs/integrations/home-assistant/configuration.yml b/docs/integrations/home-assistant/configuration.yml
@@ -1,7 +1,7 @@
 notify:
   - name: signal
     platform: signal_messenger
-    url: "http://sec-signal-api:8880/auth=API_TOKEN"
-    number: "+123400001"
+    url: "http://sec-signal-api:8880/@auth=API_TOKEN"
+    number: "{{.NUMBER}}"
     recipients:
       - "+123400002" # tip: use a placeholder instead
diff --git a/docs/integrations/home-assistant/home-assistant.md b/docs/integrations/home-assistant/home-assistant.md
@@ -16,10 +16,7 @@ To be able to use the Signal Messenger integration in Home Assistant you need to
 {{{ #://./configuration.yml }}}
 ```
 
-> [!IMPORTANT]
-> Home Assistant requires `number` to actually be a number, so using placeholders is not supported at the moment
-
-Here we are taking advantage of the `url` field for adding `/auth=API_TOKEN` in order to use [Path Auth](../usage#auth).
+Here we are taking advantage of the `url` field for adding `/@auth=API_TOKEN` in order to use [Path Auth](../usage#auth).
 
 For more detailed configuration instructions read the [official Home Assistant docs](https://www.home-assistant.io/integrations/signal_messenger/).
 

diff --git a/docs/usage/advanced.md b/docs/usage/advanced.md
@@ -46,20 +46,20 @@ These can be especially **helpful** when managing **variables** across multiple
 > [!NOTE]
 > Placeholders follow strict formatting rules ([See Formatting](./formatting#templates))
 
-## Query-to-Body Injection
+## URL-to-Body Injection
 
 > _Sounds scary… but it really isn't._ 🫣
 
-**Query-to-Body Injection** is a powerful feature designed for **restricted or inflexible environments**.
+**URL-to-Body Injection** is a powerful feature designed for **restricted or inflexible environments**.
 
 In some setups, webhook configuration is extremely limited.
 For example, you may **only** be able to define a webhook URL, without any control over the **request body**.
 This becomes a problem when every receiving service is expected to support the **Signal CLI REST API** format.
 In such cases, using a simple, generic webhook is not possible.
 
-**Query-to-Body Injection** solves this by allowing you to inject values directly into the request body via query parameters.
+**URL-to-Body Injection** solves this by allowing you to inject values directly into the request body via query parameters or seperated path parameters.
 
-`http://sec-signal-api:8880/?@key=value`
+`http://sec-signal-api:8880/@key2=value2/?@key=value`
 
 > [!IMPORTANT]
 >

diff --git a/docs/usage/formatting.md b/docs/usage/formatting.md
@@ -15,8 +15,8 @@ As a result, any valid Go template string works in Secured Signal API.
 > [!NOTE]
 > The following features use Go’s templating library:
 >
-> - [Message Templates](../configuration/message-template)
-> - [Query-to-Body Injection](./advanced#query-to-body-injection)
+> - [URL Templates](../configuration/message-template)
+> - [URL-to-Body Injection](./advanced#url-to-body-injection)
 > - [Placeholders](./advanced#placeholders)
 
 | Scope                                   | Example             | Note             |

diff --git a/docs/usage/index.md b/docs/usage/index.md
@@ -28,8 +28,8 @@ This will send `Hello, World!` to `<to>` from `<from>`.
 | :---------- | :--------------------------------------------------------- |
 | Bearer Auth | Add `Authorization: Bearer API_TOKEN` to headers           |
 | Basic Auth  | Add `Authorization: Basic BASE64_STRING` (`api:API_TOKEN`) |
-| Query Auth  | Append `@authorization=API_TOKEN` to request URL           |
-| Path Auth   | Prepend request path with `/auth=API_TOKEN/`               |
+| Query Auth  | Append `@auth=API_TOKEN` to request URL                    |
+| Path Auth   | Prepend request path with `/@auth=API_TOKEN/`              |
 | Body Auth   | Set `auth` to `API_TOKEN` in the request body              |
 
 > [!WARNING]