Rotate the endpoint's signing secret

curl --request POST \
  --url https://api.scripe.io/v1/webhook-endpoints/{endpointId}/rotate-secret \
  --header 'Authorization: Bearer <token>'

{
  "data": {
    "id": "whe_a1b2c3d4e5f6g7h8",
    "url": "https://hooks.example.com/scripe",
    "name": "Production CRM",
    "events": [
      "post.created",
      "job.completed"
    ],
    "isActive": true,
    "disabledReason": "<string>",
    "projectId": "<string>",
    "secretLast4": "<string>",
    "createdAt": "2023-11-07T05:31:56Z",
    "secret": "whsec_4f9d3b6a1e2c8f0d7b5a4e9c2d1f8a3b6c5e0d9f2a1b4c7e8d3f6a5b2c1e0d4f",
    "updatedAt": "2023-11-07T05:31:56Z"
  }
}

Webhooks

Rotate the endpoint's signing secret

Mint a new plaintext signing secret and persist it as the canonical secret for the endpoint. The response carries the plaintext once; future reads expose only secretLast4.

In-flight deliveries finish signing with the previous secret; anything enqueued after the rotation lands uses the new one. Plan a brief overlap window in your receiver if you can’t afford a single missed verification.

Not idempotent — every call generates a fresh secret. Requires the webhooks:manage scope.

POST

webhook-endpoints

{endpointId}

rotate-secret

Rotate the endpoint's signing secret

curl --request POST \
  --url https://api.scripe.io/v1/webhook-endpoints/{endpointId}/rotate-secret \
  --header 'Authorization: Bearer <token>'

{
  "data": {
    "id": "whe_a1b2c3d4e5f6g7h8",
    "url": "https://hooks.example.com/scripe",
    "name": "Production CRM",
    "events": [
      "post.created",
      "job.completed"
    ],
    "isActive": true,
    "disabledReason": "<string>",
    "projectId": "<string>",
    "secretLast4": "<string>",
    "createdAt": "2023-11-07T05:31:56Z",
    "secret": "whsec_4f9d3b6a1e2c8f0d7b5a4e9c2d1f8a3b6c5e0d9f2a1b4c7e8d3f6a5b2c1e0d4f",
    "updatedAt": "2023-11-07T05:31:56Z"
  }
}

Authorizations

Authorization

string

header

required

Pass Authorization: Bearer scripe_sk_live_<...> (or scripe_sk_test_<...> for test keys) on every request. Keys are scoped to a single workspace and can be revoked from the Scripe dashboard.

Headers

Scripe-Api-Version

string

Pin the API version. Format YYYY-MM-DD. Omit to receive the currently rolling default. Unknown versions return 400 version_unsupported.

Example:

"2026-08-01"

Path Parameters

endpointId

string

required

Example:

"whe_a1b2c3d4e5f6g7h8"

Response

Secret rotated. Response carries the new plaintext secret.

data

object

required

Display-safe shape of a webhook endpoint. The plaintext signing secret is never present here — only secretLast4. Use WebhookEndpointWithSecret (returned by create + rotate) when the plaintext matters.

Show child attributes

Update webhook endpoint

⌘I

Documentation Index

Authorizations

Headers

Path Parameters

Response