Java authorizeRequests().permitAll() not working

Using the code from the Quickstart guide and running into issues.

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.authorizeRequests()
				//.mvcMatchers(HttpMethod.GET, "/api/menu/items/**").permitAll() // GET requests don't need auth
				.mvcMatchers("/webhook/**")
				.permitAll() // Allow webhook calls
				.and()
				.authorizeRequests()
				.anyRequest()
				.authenticated()
				.and()
				.oauth2ResourceServer()
				.jwt()
				.decoder(jwtDecoder());
	}

My understanding is this should allow calls to /webhook to pass freely, but it’s not working as expected. My webhook calls are getting authenticated and throwing 401 errors. What’s wrong?