Skip to main content
POST
/
apps
/
{client_id}
/
webhook-config
/
rotate-secret
curl -X POST \
  -H "Authorization: Bearer sk_workspace_test_..." \
  "https://sandbox.api.hopae.com/connect/v1/apps/abc123/webhook-config/rotate-secret"

{
  "secret": "whsec_a3f2c1e4b8d7f6a9c2e5b1d4f7a0c3e6b9d2f5a8c1e4b7d0f3a6c9e2b5d8f1a4"
}
Generates a new HMAC-SHA256 signing secret for the app’s webhook configuration. See the Webhook Signature Verification guide for how to verify signed deliveries.
Store the new secret immediately in a secure location (e.g., environment variable or secret manager). The secret is also available via GET /webhook-config.
Any requests signed with the old secret will fail signature verification after rotation. If you have active consumers verifying signatures, roll over to the new secret gradually — accept both old and new secrets during a transition window before discarding the old one.

Request

Authorization
string
required
Bearer <API_KEY> from Console > Developers > Workspace API Keys.
Idempotency-Key
string
Optional client-generated string (max 255 chars) to safely retry a rotation without re-executing it. If the same key is replayed with an empty body, the original response (and the same rotated secret) is returned with an Idempotency-Replayed: true header. Valid for 24 hours.

Path parameters

client_id
string
required
Client identifier of the app.

Request body

None. Send an empty body or omit the body entirely.

Response

secret
string
The new webhook signing secret (e.g. whsec_...). Use this to verify the X-Hopae-Signature header on incoming webhook deliveries.
curl -X POST \
  -H "Authorization: Bearer sk_workspace_test_..." \
  "https://sandbox.api.hopae.com/connect/v1/apps/abc123/webhook-config/rotate-secret"

{
  "secret": "whsec_a3f2c1e4b8d7f6a9c2e5b1d4f7a0c3e6b9d2f5a8c1e4b7d0f3a6c9e2b5d8f1a4"
}