> ## Documentation Index
> Fetch the complete documentation index at: https://docs.reap.global/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate signing secret

> Mints a new HMAC signing secret and returns it exactly once. The previous secret is invalidated immediately; in-flight deliveries signed with the old secret will fail verification on your endpoint and be retried automatically by the platform.



## OpenAPI

````yaml /api-reference/openapi.json post /webhooks/{id}/rotate-secret
openapi: 3.1.0
info:
  title: Reap API
  version: 1.0.0
  description: Reap platform API
servers:
  - url: https://sandbox.api.reap.global
    description: Sandbox
  - url: https://prod.api.reap.global
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Accounts
  - name: Activities
  - name: Card Designs
  - name: Card Shipments
  - name: Card Transactions
  - name: Cards
  - name: Companies
  - name: Crypto Deposits
  - name: Policies
  - name: Simulation
  - name: Users
  - name: Virtual Asset Postings
  - name: Virtual Assets
  - name: Webhooks
paths:
  /webhooks/{id}/rotate-secret:
    post:
      tags:
        - Webhooks
      summary: Rotate signing secret
      description: >-
        Mints a new HMAC signing secret and returns it exactly once. The
        previous secret is invalidated immediately; in-flight deliveries signed
        with the old secret will fail verification on your endpoint and be
        retried automatically by the platform.
      operationId: rotateSecret_webhooks
      parameters:
        - name: id
          in: path
          required: true
          schema:
            description: Webhook ID
            type: string
            format: uuid
        - name: Reap-Version
          in: header
          required: true
          schema:
            type: string
            enum:
              - '2025-02-14'
            description: API version (YYYY-MM-DD)
            example: '2025-02-14'
        - name: Idempotency-Key
          in: header
          required: false
          schema:
            type: string
            minLength: 1
            maxLength: 255
            description: >-
              Unique key for safely retrying this request. Up to 255 characters;
              we recommend a UUIDv4. The first request executes and its response
              is cached; subsequent requests with the same key replay the cached
              response (24h retention).
      responses:
        '200':
          description: >-
            Webhook with its newly minted signing secret. The previous secret is
            no longer accepted.
          content:
            application/json:
              schema:
                type: object
                properties:
                  id:
                    type: string
                    format: uuid
                    description: Unique webhook identifier
                  name:
                    type: string
                    description: Human-readable label
                  url:
                    type: string
                    description: HTTPS endpoint that receives signed POSTs
                  status:
                    type: string
                    enum:
                      - ACTIVE
                      - DISABLED
                    description: Lifecycle status. Disabled webhooks receive no deliveries.
                    example: ACTIVE
                  mode:
                    type: string
                    enum:
                      - NOTIFICATION
                      - REQUEST
                    description: Interaction pattern of the endpoint.
                    example: NOTIFICATION
                  lastUsedAt:
                    anyOf:
                      - type: string
                        format: date-time
                        pattern: >-
                          ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
                      - type: 'null'
                    description: Timestamp of the most recent successful delivery
                  createdAt:
                    type: string
                    format: date-time
                    pattern: >-
                      ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
                    description: ISO 8601 creation timestamp
                  updatedAt:
                    type: string
                    format: date-time
                    pattern: >-
                      ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
                    description: ISO 8601 last update timestamp
                  signingSecret:
                    type: string
                    description: >-
                      HMAC signing secret. Returned exactly once. Store it
                      securely - it cannot be retrieved again. The previous
                      secret (if any) is invalidated immediately.
                required:
                  - id
                  - name
                  - url
                  - status
                  - mode
                  - lastUsedAt
                  - createdAt
                  - updatedAt
                  - signingSecret
        '404':
          description: Webhook not found
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: object
                    properties:
                      code:
                        type: string
                        const: WEBHOOK_NOT_FOUND
                      message:
                        type: string
                      detail:
                        anyOf:
                          - type: object
                            additionalProperties: {}
                          - type: 'null'
                    required:
                      - code
                      - message
                      - detail
                required:
                  - error
                title: WebhookNotFoundError
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: API key as Bearer token

````