https://api.veriko.mx/v1/webhooks/{id}/regenerate-secret Regenerate webhook signing secret
How-to guide →Rotates the HMAC-SHA256 signing secret for the endpoint. The new secret is returned exactly once in this response — the previous one is invalidated immediately. Store it securely.
| Parameter | In | Type | Required | Description |
|---|---|---|---|---|
id * | path | string (uuid) | required | UUID of the webhook endpoint. |
curl -X POST 'https://api.veriko.mx/v1/webhooks/{id}/regenerate-secret' \
-H 'Authorization: Bearer mxcep_••••' \
-H 'Content-Type: application/json'
Python example — coming soon.
JavaScript example — coming soon.
PHP example — coming soon.
| Field | Type | Description |
|---|---|---|
type * | string | |
id * | string (uuid) | Endpoint identifier. |
attributes * | object | Canonical webhook endpoint attributes (receiver URL, subscribed events, status, and secret). |
url | string (uri) | HTTPS receiver URL. Production rejects plain HTTP, URLs resolving to private IPs (SSRF), and URLs `>2048` chars. |
events | array | List of subscribed events. Maximum 10. |
description | string | null nullable | Free-form endpoint label. |
status | string | `active` receives deliveries. `disabled` was manually paused. `auto_disabled` was disabled by the platform after exceeding `webhooks.auto_disable_threshold` consecutive failures. |
consecutive_failures | integer | Consecutive failures counter. Resets on a success. |
last_delivery_at | union | UTC timestamp of the last delivery attempt (any status). `null` when the endpoint hasn't received any delivery yet. |
secret | string | Shared secret for signature verification. **Only present** in the create and rotate-secret responses; omitted from every other response. |
secret_hint | string | Last 4 chars of the secret prefixed with `...`. Present on any response where the full `secret` is hidden. |
created_at | string (date-time) | ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable. |
updated_at | string (date-time) | ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable. |
| Status | Class | Description | Body |
|---|---|---|---|
| 200 | 2xx | New signing secret generated. Returned only in this response. | No body |
| 401 | 4xx | Authentication is required or the provided credentials are invalid. | ErrorResponse |
| 403 | 4xx | Permisos insuficientes | ErrorResponse |
| 404 | 4xx | `not_found` — endpoint does not exist or does not belong to the user. | ErrorResponse |
| 429 | 4xx | Rate limit exceeded | ErrorResponse |
| Status | Code | Detail |
|---|---|---|
| 401 | unauthorized | Invalid or missing authentication credentials. Envelope
|
| 403 | forbidden | You do not have permission to access this resource. Envelope
|
| 429 | rate_limit_exceeded | Rate limit exceeded. Try again in 45 seconds. Envelope
Response headers
|