Generate a new signing secret for an endpoint — for example if the old one leaked.
The new secret is returned once. For the next 24 hours Dravo dual-signs every
delivery with both the new and the previous secret (two comma-separated values in
X-Dravo-Signature), so a receiver that still holds the old secret keeps
verifying while you roll out the new one. After the grace window only the new
secret is sent. See verifying the signature.
POST
/v1/webhooks/{webhook_id}/rotate-secretDashboard JWT only
Rotate the signing secret. The previous secret stays valid for 24h (dual-signed) so receivers can migrate. The new secret is shown once.
Body & query parameters
webhook_idstringpathrequiredEndpoint whose secret to rotate.
const response = await fetch("https://api.dravo.dev/v1/webhooks/{webhook_id}/rotate-secret", { method: "POST", headers: { "Authorization": "Bearer " + process.env.DRAVO_API_KEY,}});const data = await response.json();console.log(data);{ "id": "wh_1", "url": "https://example.com/hook", "events": [ "post.published" ], "signing_secret": "whsec_…"}