> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getdialed.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate a webhook signing secret

> Rotates the HMAC signing secret. The **previous secret stays valid for a 24-hour overlap window** so in-flight requests signed with the old secret still verify — update your sender within 24h. The new `signing_secret` is returned exactly once. Cross-tenant access returns 404.



## OpenAPI

````yaml /openapi.json post /webhooks/{webhook_id}/rotate-secret
openapi: 3.1.0
info:
  title: GetDialed Flows API
  version: 0.1.0
servers:
  - url: https://api.getdialed.ai/flows
    description: Production
  - url: http://localhost:8000
    description: Local development
security: []
paths:
  /webhooks/{webhook_id}/rotate-secret:
    post:
      tags:
        - webhooks
      summary: Rotate a webhook signing secret
      description: >-
        Rotates the HMAC signing secret. The **previous secret stays valid for a
        24-hour overlap window** so in-flight requests signed with the old
        secret still verify — update your sender within 24h. The new
        `signing_secret` is returned exactly once. Cross-tenant access returns
        404.
      operationId: rotate_webhook_secret_webhooks__webhook_id__rotate_secret_post
      parameters:
        - name: webhook_id
          in: path
          required: true
          schema:
            type: string
            title: Webhook Id
      responses:
        '200':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/WebhookConfigCreateResponse'
        '401':
          description: Missing or invalid authentication
          content:
            application/json:
              example:
                detail: Authentication required
        '403':
          description: Admin role required
          content:
            application/json:
              example:
                detail: Admin role required
        '404':
          description: Not found — also returned on cross-tenant access (never 403)
          content:
            application/json:
              example:
                detail: Webhook not found
        '422':
          description: Validation error (see body for field details)
          content:
            application/json:
              example:
                detail: Validation error
        '429':
          description: Rate limit exceeded — retry after the Retry-After header
          content:
            application/json:
              example:
                detail: Rate limit exceeded
      security:
        - APIKeyHeader: []
        - HTTPBearer: []
components:
  schemas:
    WebhookConfigCreateResponse:
      properties:
        id:
          type: string
          title: Id
        definition_id:
          type: string
          title: Definition Id
        org_id:
          type: string
          title: Org Id
        description:
          type: string
          title: Description
        mode:
          type: string
          title: Mode
        provider:
          type: string
          title: Provider
        input_template:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Input Template
        dispatch_retry:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Dispatch Retry
        rate_limit:
          anyOf:
            - type: integer
            - type: 'null'
          title: Rate Limit
        enabled:
          type: boolean
          title: Enabled
        created_at:
          type: string
          format: date-time
          title: Created At
        updated_at:
          type: string
          format: date-time
          title: Updated At
        signing_secret:
          type: string
          title: Signing Secret
        receive_url:
          type: string
          title: Receive Url
      type: object
      required:
        - id
        - definition_id
        - org_id
        - description
        - mode
        - provider
        - input_template
        - dispatch_retry
        - rate_limit
        - enabled
        - created_at
        - updated_at
        - signing_secret
        - receive_url
      title: WebhookConfigCreateResponse
      description: |-
        POST response — the ONLY place the signing secret + receive URL appear.

        Show-once at create (and on explicit rotate); the read model omits both.
      example:
        created_at: '2026-07-09T09:00:00Z'
        definition_id: def_a1b2c3d4
        description: Inbound Stripe payment webhook
        enabled: true
        id: wh_1a2b3c4d5e6f
        mode: trigger
        org_id: org_e5f6g7h8
        provider: standard
        rate_limit: 1000
        receive_url: /webhooks/acme/wh_1a2b3c4d5e6f
        signing_secret: whsec_...
        updated_at: '2026-07-09T09:00:00Z'
  securitySchemes:
    APIKeyHeader:
      type: apiKey
      in: header
      name: X-API-Key
    HTTPBearer:
      type: http
      scheme: bearer
      bearerFormat: JWT

````