Rotate webhook signing secret.
Generates a new HMAC-SHA256 signing secret for the webhook subscription. The previous secret remains valid for 24 hours to allow graceful rotation. After 24 hours, only the new secret will be accepted for signature verification.
Authorizations
API key issued at onboarding. Passed as a Bearer token in the Authorization header: Authorization: Bearer <api-key>. Identifies the caller and determines organization scope. Invalid or revoked keys return 401 with error type authentication_error.
Ed25519 or RSA-SHA256 asymmetric signature over the request payload (ADR-0015). Provides request integrity and non-repudiation. The signature covers the HTTP method, path, query string, request body, and timestamp. Invalid signatures return 401 with error type authentication_error.
Unix timestamp (seconds) of when the request was signed. Server rejects requests where the timestamp drifts beyond +/-60 seconds from server time to prevent replay attacks. Must match the timestamp used in the signature computation.
Headers
Idempotency key for this request. UUID v4 recommended. Max 128 characters. 24-hour retention. Same key + same body replays original response with Idempotency-Replayed: true. Same key + different body returns 409 (code: duplicate_idempotency_key). Same key while the original request is still processing returns 409 with a Retry-After header (code: idempotency_key_in_flight).
128"550e8400-e29b-41d4-a716-446655440000"
Path Parameters
Unique identifier of the webhook subscription (wsub_ prefix). Webhook subscription resource identifier.
^wsub_[A-Za-z0-9]+$"wsub_01953e1a5f4b700a"