This endpoint generates a new webhook signing secret for a subscription. To avoid dropping deliveries during a key rotation, you can specify a grace period during which the service signs each delivery with both the old and the new secret. Your endpoint can then validate against either, giving you time to deploy the new secret without downtime.Documentation Index
Fetch the complete documentation index at: https://docs.offthehook.dev/llms.txt
Use this file to discover all available pages before exploring further.
Request
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer oth_YOUR_API_KEY |
Content-Type | Yes | application/json |
Idempotency-Key | No | A unique key to safely retry this request without causing a double rotation. |
Path parameters
The subscription ID (e.g.
sub_2QkP9aB7xN...).Body
How long, in seconds, the old secret remains valid alongside the new one. Set to
0 for an immediate cutover — the old secret becomes invalid as soon as the request completes. Defaults to 0.Response
200 OK — the newly generated secret.During the grace period
While the grace period is active, thewebhook-signature delivery header contains space-separated v1, signatures for both secrets:
Idempotency
Use theIdempotency-Key header to safely retry this request if you receive a network error or timeout. If the server has already processed a request with the same key, it returns the cached response without generating a new secret. Sending a conflicting body with the same key returns idempotency_conflict.
Errors
| Code | HTTP | Description |
|---|---|---|
not_found | 404 | The subscription ID does not exist or belongs to a different API key. |
idempotency_in_flight | 409 | A request with this Idempotency-Key is currently being processed. Retry after a short delay. |
idempotency_conflict | 409 | A request with this Idempotency-Key was already completed with a different request body. |
unauthorized | 401 | The Authorization header is missing or the key is invalid. |