Skip to main content
POST
/
public
/
v1
/
webhooks
/
{id}
/
rotate-secret
Rotate Webhook Secret
curl --request POST \
  --url https://api.pro.daya.co/public/v1/webhooks/{id}/rotate-secret \
  --header 'X-Api-Key: <x-api-key>'
{
  "success": true,
  "message": "Webhook secret rotated successfully",
  "data": {
    "id": "770e8400-e29b-41d4-a716-446655440000",
    "url": "https://example.com/webhooks/daya",
    "description": "Order notifications",
    "events": ["order.filled", "order.cancelled"],
    "status": "active",
    "secret": "b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef12345678",
    "failure_count": 0,
    "last_success_at": "2024-01-15T10:30:00Z",
    "last_failure_at": null,
    "last_failure_reason": null,
    "created_at": "2024-01-01T00:00:00Z",
    "updated_at": "2024-01-15T12:00:00Z"
  },
  "timestamp": "2024-01-15T12:00:00Z"
}

Overview

Generate a new signing secret for a webhook. The old secret becomes invalid immediately. The new secret is only returned once, so make sure to store it securely.

Authentication

X-Api-Key
string
required
Your API key with Write scope
X-Api-Key: daya_sk_YOUR_API_KEY

Path Parameters

id
string
required
Webhook ID (UUID)Example: 770e8400-e29b-41d4-a716-446655440000

Request Examples

curl --request POST \
  --url 'https://api.pro.daya.co/public/v1/webhooks/770e8400-e29b-41d4-a716-446655440000/rotate-secret' \
  --header 'X-Api-Key: daya_sk_YOUR_API_KEY'

Response

success
boolean
required
Indicates if the request was successful
message
string
required
Human-readable response message
data
object
required
Webhook with new secret

Success Response

{
  "success": true,
  "message": "Webhook secret rotated successfully",
  "data": {
    "id": "770e8400-e29b-41d4-a716-446655440000",
    "url": "https://example.com/webhooks/daya",
    "description": "Order notifications",
    "events": ["order.filled", "order.cancelled"],
    "status": "active",
    "secret": "b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef12345678",
    "failure_count": 0,
    "last_success_at": "2024-01-15T10:30:00Z",
    "last_failure_at": null,
    "last_failure_reason": null,
    "created_at": "2024-01-01T00:00:00Z",
    "updated_at": "2024-01-15T12:00:00Z"
  },
  "timestamp": "2024-01-15T12:00:00Z"
}
The secret is a 64-character hex string (32 bytes). This is the raw secret used for HMAC-SHA256 signature verification.

Error Responses

{
  "success": false,
  "message": "Validation error",
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid webhook ID format"
  }
}
The old secret becomes invalid immediately. After rotating, update your webhook verification code with the new secret before processing any new webhook deliveries.

Rate Limits

  • 100 requests per minute per API key

Next Steps

Webhook Verification

Learn how to verify webhook signatures

Get Webhook

View webhook details