> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vouchmark.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate webhook secret

> Generate a new signing secret for a webhook. The old secret stops working immediately.

Rotates the signing secret for a webhook subscription. A new `signingSecret` (`whsec_...`) is generated and returned in full, once. The previous secret stops verifying deliveries immediately.

## Path parameters

<ParamField path="id" type="string" required>
  The webhook ID to rotate the signing secret for.
</ParamField>

## Body

No request body.

<RequestExample>
  ```bash cURL theme={null}
  curl -X POST https://api.vouchmark.com/v1/developers/webhooks/.../rotate-secret \
    -H "Authorization: Bearer $TOKEN"
  ```
</RequestExample>

<ResponseExample>
  ```json theme={null}
  {
    "success": true,
    "data": {
      "id": "...",
      "appId": "...",
      "environment": "live",
      "serviceType": "kyc_widget",
      "endpoint": "https://...",
      "isActive": true,
      "signingSecret": "whsec_...",
      "createdAt": "..."
    }
  }
  ```
</ResponseExample>

Returns `201 Created`.

<Warning>
  The previous signing secret stops verifying deliveries **immediately**. Update every
  integration that verifies this webhook with the new `signingSecret` in lockstep. The full
  secret is returned only here — store it securely now, it cannot be retrieved later. See
  [Verifying the signature](/webhooks#verifying-the-signature).
</Warning>

## Response fields

<ResponseField name="success" type="boolean" />

<ResponseField name="data" type="object">
  <Expandable title="webhook">
    <ResponseField name="id" type="string" />

    <ResponseField name="appId" type="string" />

    <ResponseField name="environment" type="string">
      One of `sandbox` or `live`.
    </ResponseField>

    <ResponseField name="serviceType" type="string">
      One of `kyc_widget`, `verification`, `trust_monitor`, `disputes`.
    </ResponseField>

    <ResponseField name="endpoint" type="string" />

    <ResponseField name="isActive" type="boolean">
      Whether the subscription is active and receiving deliveries.
    </ResponseField>

    <ResponseField name="signingSecret" type="string">
      The new full signing secret (`whsec_...`), returned once. Use it to verify the
      `X-Vouchmark-Signature` header on deliveries.
    </ResponseField>

    <ResponseField name="createdAt" type="string" />
  </Expandable>
</ResponseField>
