Rotate webhook signing secret

curl --request POST \
  --url https://api.firma.dev/functions/v1/signing-request-api/webhooks/rotate-secret \
  --header 'Authorization: <api-key>'

{
  "message": "Webhook secret rotated successfully",
  "new_secret": "a1b2c3d4e5f6...",
  "grace_period_hours": 168,
  "warning": "Update your webhook signature verification to use the new secret. The old secret will remain valid for 7 days."
}

POST

webhooks

rotate-secret

Rotate webhook signing secret

curl --request POST \
  --url https://api.firma.dev/functions/v1/signing-request-api/webhooks/rotate-secret \
  --header 'Authorization: <api-key>'

{
  "message": "Webhook secret rotated successfully",
  "new_secret": "a1b2c3d4e5f6...",
  "grace_period_hours": 168,
  "warning": "Update your webhook signature verification to use the new secret. The old secret will remain valid for 7 days."
}

Authorizations

Authorization

string

header

required

API key for authentication. Use your API key directly without any prefix (e.g., 'your-api-key'). Bearer prefix is optional but not required.

Response

Secret rotated successfully

message

string

new_secret

string

The new webhook signing secret (64 character hex string)

grace_period_hours

integer

Hours the old secret remains valid alongside the new one

warning

string

Reminder to update webhook signature verification

Get webhook secret rotation status Get Workspace Webhook Secret Status

⌘I

Endpoints

Documentation Index

Authorizations

Response