Rotate a Webhook Signing Secret
Use this endpoint to generate a new server-owned signing secret for a webhook registration. The new signingSecret is returned only in this response — store it securely and update your signature verification. The previous secret stops being valid. Only registrations belonging to the caller’s tenant can be rotated.
Use the X-Idempotency header for guaranteed deduplication.
Authorizations
JWT Bearer token authentication. The tenantId is derived from the bearer token or authenticated request context and is not supplied through X-Organization-Id.
Headers
Required idempotency key for safe retries. Use a UUID v4 or unique business identifier. If the same key is sent again and the original request was already processed, the cached response is returned.
See Retries and idempotency for details.
255Path Parameters
The unique identifier of the webhook registration whose secret will be rotated.
Response
Indicates that a new signing secret was generated. The signingSecret is returned only in this response.
Repeated calls with the same X-Idempotency key replay the cached response.
See Retries and idempotency for more details.
The unique identifier of the webhook registration.
"550e8400-e29b-41d4-a716-446655440000"
The human-readable name of the registration.
"Operations webhook"
The HTTPS endpoint that receives event deliveries.
"https://hooks.example.com/transfer-events"
Whether the registration is active.
true
The timestamp when the registration was created.
"2026-02-01T15:30:00Z"
The timestamp of the last update.
"2026-02-01T15:30:00Z"
The newly generated signing secret, returned only in this response. The previous secret stops being valid.
"whsec_example_rotated_not_a_real_secret"
The event types this endpoint subscribes to. Absent when the registration receives every event type.
["transfer.completed"]