Skip to main content
POST
/
webhooks
/
endpoints
/
{id}
/
rotate
Rotate a webhook endpoint's signing secret
curl --request POST \
  --url https://api.conduit.financial/v2/webhooks/endpoints/{id}/rotate \
  --header 'Idempotency-Key: <idempotency-key>' \
  --header 'x-api-key: <api-key>'
{
  "id": "<string>",
  "url": "https://api.example.com/webhooks/conduit",
  "description": "Production webhook receiver",
  "active": true,
  "subscription": {
    "mode": "ALL"
  },
  "createdAt": "2026-01-15T09:30:00.000Z",
  "updatedAt": "2026-01-15T09:30:00.000Z",
  "secret": "whsec_8f3a2b1c4d5e6f7081928374a5b6c7d8e9f0a1b2c3d4e5f60718293a4b5c6d7e",
  "signature": {
    "algorithm": "hmac-sha256",
    "headerName": "X-Conduit-Signature",
    "headerFormat": "t=<unix-seconds>,v1=<hex-digest>[,v1=<hex-digest>]",
    "signedPayloadFormat": "<unix-seconds>.<raw-request-body>",
    "secretFormat": "whsec_<64-hex>"
  }
}

Authorizations

x-api-key
string
header
required

Headers

Idempotency-Key
string
required

Caller-generated unique key that lets the server safely replay this request. The cached response is returned for 5 minutes on any retry with the same key from the same API principal. Required on every state-changing money-moving or resource-creating POST.

Required string length: 1 - 128
Pattern: ^[A-Za-z0-9_.:-]{1,128}$

Path Parameters

id
string
required

Response

id
string
required

Unique webhook endpoint identifier

Pattern: ^wep_[0-9A-Za-z]{22}$
url
string
required

URL where webhook payloads are delivered

Example:

"https://api.example.com/webhooks/conduit"

description
string | null
required

Human-readable description of this endpoint's purpose

Example:

"Production webhook receiver"

active
boolean
required

Whether this endpoint is currently receiving new deliveries. When false, the endpoint is excluded from event fan-out — no new deliveries are enqueued. In-flight (already-enqueued) deliveries are not cancelled and continue retrying per the normal schedule. Flip back to true via PATCH to resume receiving new deliveries.

Example:

true

subscription
object
required

Event subscription configuration for this endpoint

createdAt
string<date-time>
required

ISO 8601 timestamp

Example:

"2026-01-15T09:30:00.000Z"

updatedAt
string<date-time>
required

ISO 8601 timestamp

Example:

"2026-01-15T09:30:00.000Z"

secret
string
required

Per-endpoint signing secret. Returned only once — when the endpoint is created and again each time its secret is rotated — so store it securely. Format: literal whsec_ prefix + 64 hex chars (see signature.secretFormat). Pass the FULL string verbatim, including the whsec_ prefix, as the HMAC-SHA256 key when verifying incoming X-Conduit-Signature headers — stripping the prefix produces a different digest and every valid delivery fails verification.

Example:

"whsec_8f3a2b1c4d5e6f7081928374a5b6c7d8e9f0a1b2c3d4e5f60718293a4b5c6d7e"

signature
object
required

Signature verification metadata. Same constants apply to every webhook delivery; signing secrets are per-endpoint.