Skip to main content
Rotate webhook secret
curl --request POST \
  --url https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret
import requests

url = "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret"

response = requests.post(url)

print(response.text)
const options = {method: 'POST'};

fetch('https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
package main

import (
"fmt"
"net/http"
"io"
)

func main() {

url := "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret"

req, _ := http.NewRequest("POST", url, nil)

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := io.ReadAll(res.Body)

fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret")
.asString();
require 'uri'
require 'net/http'

url = URI("https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)

response = http.request(request)
puts response.read_body
Pre-release — contact your Fortary account team for access.
Illustrative reference. These examples show the shape of the API and are provided for early evaluation while it is still being finalized. Field names and response details may change before the API is released. A complete reference, generated directly from the live API, will replace these examples once it is available.
Generates a new signing secret. Requires the webhook:manage scope. The new secret signs deliveries immediately; the previous secret remains valid for a 24-hour grace window, during which the signature header carries a v1 entry for both secrets. Deploy the new secret to your handler within the window. A deleted webhook cannot be rotated.

Request

curl -X POST https://customer-api.fortary.io/v1/webhooks/whs_9b2f4e1a7c/rotate-secret \
  -H "Authorization: Bearer fort_..."

Response

The webhook — fields as in Get webhook — plus the new secret:
{
  "id": "whs_9b2f4e1a7c",
  "status": "ENABLED",
  "updatedAt": "2026-06-11T10:02:51Z",
  "secret": "whsec_xK7dR2..."
}
secret is returned exactly once. Store it now; it cannot be retrieved later — only rotated again.
Errors follow the standard error envelope.