POST https://api.veriko.mx/v1/webhooks/{id}/regenerate-secret

Regenerate webhook signing secret

Audience
public
Permission
webhooks:update
How-to guide →

Rotates the HMAC-SHA256 signing secret for the endpoint. The new secret is returned exactly once in this response — the previous one is invalidated immediately. Store it securely.

Parameters
Parameter In Type Required Description
id * path string (uuid) required

UUID of the webhook endpoint.

Request
curl -X POST 'https://api.veriko.mx/v1/webhooks/{id}/regenerate-secret' \
  -H 'Authorization: Bearer mxcep_••••' \
  -H 'Content-Type: application/json'

Python example — coming soon.

JavaScript example — coming soon.

PHP example — coming soon.

Response 200 WebhookEndpoint — List of the user's webhook endpoints with their status and subscribed events.
Field Type Description
type * string

id * string (uuid)

Endpoint identifier.

attributes * object

Canonical webhook endpoint attributes (receiver URL, subscribed events, status, and secret).

url string (uri)

HTTPS receiver URL. Production rejects plain HTTP, URLs resolving to private IPs (SSRF), and URLs `>2048` chars.

events array

List of subscribed events. Maximum 10.

description string | null nullable

Free-form endpoint label.

status string

`active` receives deliveries. `disabled` was manually paused. `auto_disabled` was disabled by the platform after exceeding `webhooks.auto_disable_threshold` consecutive failures.

consecutive_failures integer

Consecutive failures counter. Resets on a success.

last_delivery_at union

UTC timestamp of the last delivery attempt (any status). `null` when the endpoint hasn't received any delivery yet.

secret string

Shared secret for signature verification. **Only present** in the create and rotate-secret responses; omitted from every other response.

secret_hint string

Last 4 chars of the secret prefixed with `...`. Present on any response where the full `secret` is hidden.

created_at string (date-time)

ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable.

updated_at string (date-time)

ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable.

Response status codes POST /v1/webhooks/{id}/regenerate-secret
Status Class Description Body
200 2xx New signing secret generated. Returned only in this response. No body
401 4xx Authentication is required or the provided credentials are invalid. ErrorResponse
403 4xx Permisos insuficientes ErrorResponse
404 4xx `not_found` — endpoint does not exist or does not belong to the user. ErrorResponse
429 4xx Rate limit exceeded ErrorResponse
Errors from POST /v1/webhooks/{id}/regenerate-secret
Status Code Detail
401 unauthorized

Invalid or missing authentication credentials.

Envelope
meta.request_id
c4d5e6f7a8b9
403 forbidden

You do not have permission to access this resource.

Envelope
meta.request_id
d5e6f7a8b9c0
429 rate_limit_exceeded

Rate limit exceeded. Try again in 45 seconds.

Envelope
meta.request_id
f7a8b9c0d1e2
Response headers
  • Retry-After : integer — Seconds to wait before retrying. Matches the endpoint's rate-limit window (typically 60s for list endpoints, 1-5s for in-flight idempotent operations).
  • X-RateLimit-Limit : integer — Configured request cap for this bucket (emitted only on 429).
  • X-RateLimit-Remaining : integer — Requests remaining in the current window — always 0 at the moment of the 429 (emitted only on 429).
  • X-RateLimit-Reset : integer — Absolute Unix epoch (seconds) when the window resets. Emitted only on 429, alongside Retry-After. Per-endpoint overrides exist (e.g. `rate_limited_login`).