> ## Documentation Index > Fetch the complete documentation index at: https://docs.hopae.com/llms.txt > Use this file to discover all available pages before exploring further. # Rotate Webhook Secret > Generate a new signing secret for webhook delivery. Generates a new HMAC-SHA256 signing secret for the app's webhook configuration. See the [Webhook Signature Verification](/guides/webhook-signing) guide for how to verify signed deliveries. Store the new secret immediately in a secure location (e.g., environment variable or secret manager). The secret is also available via `GET /webhook-config`. Any requests signed with the **old** secret will fail signature verification after rotation. If you have active consumers verifying signatures, roll over to the new secret gradually — accept both old and new secrets during a transition window before discarding the old one. ## Request `Bearer ` from Console > Developers > Workspace API Keys. Optional client-generated string (max 255 chars) to safely retry a rotation without re-executing it. If the same key is replayed with an empty body, the original response (and the same rotated secret) is returned with an `Idempotency-Replayed: true` header. Valid for 24 hours. ### Path parameters Client identifier of the app. ### Request body None. Send an empty body or omit the body entirely. ## Response The new webhook signing secret (e.g. `whsec_...`). Use this to verify the `X-Hopae-Signature` header on incoming webhook deliveries. ```bash theme={null} curl -X POST \ -H "Authorization: Bearer sk_workspace_test_..." \ "https://sandbox.api.hopae.com/connect/v1/apps/abc123/webhook-config/rotate-secret" ``` ```json theme={null} { "secret": "whsec_a3f2c1e4b8d7f6a9c2e5b1d4f7a0c3e6b9d2f5a8c1e4b7d0f3a6c9e2b5d8f1a4" } ```