Rotate webhook secret
curl --request POST \
--url https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secretimport requests
url = "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret"
response = requests.post(url)
print(response.text)const options = {method: 'POST'};
fetch('https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}package main
import (
"fmt"
"net/http"
"io"
)
func main() {
url := "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret"
req, _ := http.NewRequest("POST", url, nil)
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := io.ReadAll(res.Body)
fmt.Println(string(body))
}HttpResponse<String> response = Unirest.post("https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret")
.asString();require 'uri'
require 'net/http'
url = URI("https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
request = Net::HTTP::Post.new(url)
response = http.request(request)
puts response.read_bodyWebhooks
Rotate webhook secret
Rotate webhook secret
curl --request POST \
--url https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secretimport requests
url = "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret"
response = requests.post(url)
print(response.text)const options = {method: 'POST'};
fetch('https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}package main
import (
"fmt"
"net/http"
"io"
)
func main() {
url := "https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret"
req, _ := http.NewRequest("POST", url, nil)
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := io.ReadAll(res.Body)
fmt.Println(string(body))
}HttpResponse<String> response = Unirest.post("https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret")
.asString();require 'uri'
require 'net/http'
url = URI("https://customer-api.fortary.io/v1/webhooks/{webhookId}/rotate-secret")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
request = Net::HTTP::Post.new(url)
response = http.request(request)
puts response.read_bodyPre-release — contact your Fortary account team for access.
Illustrative reference. These examples show the shape of the API and are provided for early evaluation while it is still being finalized. Field names and response details may change before the API is released. A complete reference, generated directly from the live API, will replace these examples once it is available.
webhook:manage scope.
The new secret signs deliveries immediately; the previous secret remains valid for a 24-hour grace window, during which the signature header carries a v1 entry for both secrets. Deploy the new secret to your handler within the window. A deleted webhook cannot be rotated.
Request
curl -X POST https://customer-api.fortary.io/v1/webhooks/whs_9b2f4e1a7c/rotate-secret \
-H "Authorization: Bearer fort_..."
Response
The webhook — fields as in Get webhook — plus the new secret:{
"id": "whs_9b2f4e1a7c",
"status": "ENABLED",
"updatedAt": "2026-06-11T10:02:51Z",
"secret": "whsec_xK7dR2..."
}
secret is returned exactly once. Store it now; it cannot be retrieved later — only rotated again.⌘I

