# Rotate the signing secret

Rotates the HMAC signing secret of the endpoint. A new secret is generated and
returned in the response. The previous secret remains valid during the grace period
defined by expire_current_in (default: 3600 seconds). During this period,
deliveries include signatures with both secrets, allowing a gradual migration
in your system without losing events.

Endpoint: POST /webhooks/endpoints/{webhook_endpoint_id}/secret/rotate
Version: 2026-03-01
Security: bearerAuth

## Path parameters:

  - `webhook_endpoint_id` (string, required)
    Example: "we_550e8400e29b41d4a716446655440000"

## Header parameters:

  - `Idempotency-Key` (string)
    Unique string for idempotent POST requests. Cached for 24 hours.

## Request fields (application/json):

  - `expire_current_in` (integer)
    Seconds until the current secret expires. Default 3600. Max 86400.

## Response 200 fields (application/json):

  - `id` (string, required)

  - `secret` (string, required)
    New HMAC signing secret
    Example: "whsec_yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"

  - `previous_secret_expires_at` (string, required)
    When the old secret stops being included in signatures

## Response 400 fields (application/problem+json):

  - `type` (string, required)
    URI identifying the error type

  - `title` (string, required)
    Short, human-readable summary of the problem type

  - `status` (integer, required)
    HTTP status code

  - `detail` (string, required)
    Human-readable explanation specific to this occurrence

  - `instance` (string)
    URI identifying this specific occurrence

  - `code` (string)
    Machine-readable subtype code

  - `param` (string)
    The request parameter that caused the error

  - `errors` (array)
    Field-level validation errors

  - `errors.param` (string, required)

  - `errors.detail` (string, required)

  - `errors.code` (string)

## Response 401 fields (application/problem+json):

  - `type` (string, required)
    URI identifying the error type

  - `title` (string, required)
    Short, human-readable summary of the problem type

  - `status` (integer, required)
    HTTP status code

  - `detail` (string, required)
    Human-readable explanation specific to this occurrence

  - `instance` (string)
    URI identifying this specific occurrence

  - `code` (string)
    Machine-readable subtype code

  - `param` (string)
    The request parameter that caused the error

  - `errors` (array)
    Field-level validation errors

  - `errors.param` (string, required)

  - `errors.detail` (string, required)

  - `errors.code` (string)

## Response 404 fields (application/problem+json):

  - `type` (string, required)
    URI identifying the error type

  - `title` (string, required)
    Short, human-readable summary of the problem type

  - `status` (integer, required)
    HTTP status code

  - `detail` (string, required)
    Human-readable explanation specific to this occurrence

  - `instance` (string)
    URI identifying this specific occurrence

  - `code` (string)
    Machine-readable subtype code

  - `param` (string)
    The request parameter that caused the error

  - `errors` (array)
    Field-level validation errors

  - `errors.param` (string, required)

  - `errors.detail` (string, required)

  - `errors.code` (string)

## Response 422 fields (application/problem+json):

  - `type` (string, required)
    URI identifying the error type

  - `title` (string, required)
    Short, human-readable summary of the problem type

  - `status` (integer, required)
    HTTP status code

  - `detail` (string, required)
    Human-readable explanation specific to this occurrence

  - `instance` (string)
    URI identifying this specific occurrence

  - `code` (string)
    Machine-readable subtype code

  - `param` (string)
    The request parameter that caused the error

  - `errors` (array)
    Field-level validation errors

  - `errors.param` (string, required)

  - `errors.detail` (string, required)

  - `errors.code` (string)

## Response 429 fields (application/problem+json):

  - `type` (string, required)
    URI identifying the error type

  - `title` (string, required)
    Short, human-readable summary of the problem type

  - `status` (integer, required)
    HTTP status code

  - `detail` (string, required)
    Human-readable explanation specific to this occurrence

  - `instance` (string)
    URI identifying this specific occurrence

  - `code` (string)
    Machine-readable subtype code

  - `param` (string)
    The request parameter that caused the error

  - `errors` (array)
    Field-level validation errors

  - `errors.param` (string, required)

  - `errors.detail` (string, required)

  - `errors.code` (string)

## Response 500 fields (application/problem+json):

  - `type` (string, required)
    URI identifying the error type

  - `title` (string, required)
    Short, human-readable summary of the problem type

  - `status` (integer, required)
    HTTP status code

  - `detail` (string, required)
    Human-readable explanation specific to this occurrence

  - `instance` (string)
    URI identifying this specific occurrence

  - `code` (string)
    Machine-readable subtype code

  - `param` (string)
    The request parameter that caused the error

  - `errors` (array)
    Field-level validation errors

  - `errors.param` (string, required)

  - `errors.detail` (string, required)

  - `errors.code` (string)