Skip to main content
POST
/
v1
/
webhook-endpoints
/
{id}
/
rotate-secret
Rotate endpoint secret
curl --request POST \
  --url https://api.scrip.dev/v1/webhook-endpoints/{id}/rotate-secret \
  --header 'X-API-Key: <api-key>'
{
  "created_at": "2026-01-15T10:30:00Z",
  "description": "Production webhook receiver",
  "enabled_events": [
    "balance.credited",
    "balance.debited"
  ],
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "metadata": "<unknown>",
  "secret": "whsec_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
  "status": "ACTIVE",
  "updated_at": "2026-01-15T10:30:00Z",
  "url": "https://example.com/webhooks"
}
Generates a new signing secret for the endpoint. The old secret is invalidated immediately. The response includes the new secret — store it and update your verification code before in-flight deliveries arrive.
Any deliveries signed with the old secret that haven’t been verified yet will fail signature checks on your end. Coordinate the rotation with a brief window where your handler accepts both old and new signatures, or rotate during a low-traffic period.
For signature verification details, see the Webhooks guide — Signature Verification.

Authorizations

X-API-Key
string
header
required

API key passed in the X-API-Key header.

Path Parameters

id
string<uuid>
required

Endpoint ID

Response

Endpoint with new secret

created_at
string<date-time>

When the endpoint was created

Example:

"2026-01-15T10:30:00Z"

description
string

Human-readable label

Example:

"Production webhook receiver"

enabled_events
string[]

Subscribed event types

Example:
["balance.credited", "balance.debited"]
id
string<uuid>

Endpoint ID

Example:

"550e8400-e29b-41d4-a716-446655440000"

metadata
any

Arbitrary metadata

secret
string

Signing secret (only returned on create and rotate — store it immediately)

Example:

"whsec_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"

status
string

Lifecycle status: ACTIVE, DISABLED, or ARCHIVED

Example:

"ACTIVE"

updated_at
string<date-time>

When the endpoint was last modified

Example:

"2026-01-15T10:30:00Z"

url
string

Destination URL for deliveries

Example:

"https://example.com/webhooks"