Skip to main content
POST
/
api
/
v2
/
webhooks
/
{webhook_id}
/
rotate
Rotate a webhook secret
curl --request POST \
  --url https://agp.eu.hcompany.ai/api/v2/webhooks/{webhook_id}/rotate \
  --header 'Authorization: Bearer <token>'
Replaces the webhook’s signing secret. The response includes the new secret; like Create, this is the only time it is returned, so store it securely. Deliveries are signed at send time, so events (including retries already in flight) are signed with the new secret from this point on. Returns the webhook object plus its new secret.
Update your receiver to accept both the old and the new secret before calling this endpoint. The SDK verify helpers accept a list of secrets for exactly this overlap: verify_webhook(body, sig, ts, ["whsec_old", "whsec_new"]). Remove the old secret once deliveries verify against the new one.

Path parameters

webhook_id
string
required
The webhook’s id (UUID).

Examples

curl -X POST https://agp.eu.hcompany.ai/api/v2/webhooks/f47ac10b-58cc-4372-a567-0e02b2c3d479/rotate \
  -H "Authorization: Bearer $HAI_API_KEY"
Response
{
  "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "url": "https://example.com/hooks/h",
  "enabled_events": ["*"],
  "description": "Production listener",
  "disabled": false,
  "created_at": "2026-06-11T15:04:05Z",
  "updated_at": "2026-07-02T09:00:00Z",
  "secret": "whsec_nZbY0eXaMpLeOnLyDoNotUse0aQ3rT5uV7wX9yZ1aB3c"
}

Errors

StatusCause
404Webhook not found or you don’t have access.