---
title: "Rotate secret"
description: "Roll an endpoint's signing secret. The old one stays valid for 24h so receivers can migrate."
section: "API reference"
url: https://dravo.dev/docs/api/webhooks/rotate-secret
---
# Rotate secret

Generate a new signing secret for an endpoint — for example if the old one leaked.
The new secret is returned **once**. For the next 24 hours Dravo dual-signs every
delivery with both the new and the previous secret (two comma-separated values in
`X-Dravo-Signature`), so a receiver that still holds the old secret keeps
verifying while you roll out the new one. After the grace window only the new
secret is sent. See [verifying the signature](/docs/concepts/webhooks#verifying-the-signature).

#### `POST /v1/webhooks/{webhook_id}/rotate-secret`

Rotate the signing secret. The previous secret stays valid for 24h (dual-signed) so receivers can migrate. The new secret is shown once.

**Auth:** Dashboard JWT only

| Field | In | Type | Required | Description |
| --- | --- | --- | --- | --- |
| `webhook_id` | path | string | yes | Endpoint whose secret to rotate. |

Response `200`: Endpoint with the new signing secret (shown once).

```json
{
  "id": "wh_1",
  "url": "https://example.com/hook",
  "events": [
    "post.published"
  ],
  "signing_secret": "whsec_…"
}
```