Rotate webhook signing secret

curl --request POST \
  --url https://api.firma.dev/functions/v1/signing-request-api/webhooks/rotate-secret \
  --header 'Authorization: <api-key>'

{
  "message": "Webhook secret rotated successfully",
  "new_secret": "a1b2c3d4e5f6...",
  "grace_period_hours": 168,
  "warning": "Update your webhook signature verification to use the new secret. The old secret will remain valid for 7 days."
}

POST

webhooks

rotate-secret

Rotate webhook signing secret

curl --request POST \
  --url https://api.firma.dev/functions/v1/signing-request-api/webhooks/rotate-secret \
  --header 'Authorization: <api-key>'

{
  "message": "Webhook secret rotated successfully",
  "new_secret": "a1b2c3d4e5f6...",
  "grace_period_hours": 168,
  "warning": "Update your webhook signature verification to use the new secret. The old secret will remain valid for 7 days."
}

Authorizations

Authorization

string

header

required

API key for authentication. Use your API key directly without any prefix (e.g., 'your-api-key'). Bearer prefix is optional but not required.

Response

Secret rotated successfully

message

string

new_secret

string

The new webhook signing secret (64 character hex string)

grace_period_hours

integer

Hours the old secret remains valid alongside the new one

warning

string

Reminder to update webhook signature verification

Get webhook secret rotation status Generate jwt token for embedding templates

⌘I

Endpoints

Authorizations

Response