Rotate a webhook signing secret
Generates a new HMAC-SHA256 signing secret and returns it ONCE. Update your verification code with the new secret before the next delivery — the old secret is invalidated immediately. Use this after a suspected secret leak or as part of routine rotation.
curl -X POST "http://localhost:3000/api/v1/webhooks/string/rotate-secret"{
"id": "wh_2a8f1d",
"secret": "whsec_b9d4e7a2c0f6815f3a4d8b9e2c5f1d7a",
"rotatedAt": "2026-09-22T08:30:00.000Z"
}{
"statusCode": 0,
"message": "string",
"errors": {
"property1": [
"string"
],
"property2": [
"string"
]
}
}{
"statusCode": 0,
"message": "string",
"errors": {
"property1": [
"string"
],
"property2": [
"string"
]
}
}{
"statusCode": 0,
"message": "string",
"errors": {
"property1": [
"string"
],
"property2": [
"string"
]
}
}Delete a webhook endpoint DELETE
Deletes a webhook endpoint. In-flight deliveries (queued retries) are cancelled. Past delivery records are kept for 30 days and remain queryable via `/deliveries`.
Send a test event to a webhook POST
Enqueues a synthetic `seat.held` test event for delivery to the endpoint. Returns immediately with a `deliveryId`; check `/deliveries` to see the outcome (success / retrying / dead-lettered).