Rotate the signing secret

curl --request POST \
  --url https://v2.prod.halliday.xyz/orgs/webhooks/rotate-secret \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "label": "prod-workflows",
  "retire_after": "2026-07-01T00:00:00.000Z"
}
'

{
  "id": "4f2c…",
  "signing_secret": "d4e5f6…"
}

Webhooks

Rotate the signing secret

Generate a new signing secret for a webhook. The new key is added immediately and signs alongside any existing keys, so deliveries carry multiple v1= signatures during the overlap and you can roll the secret in your verifier without downtime.

The previous keys are only phased out if you pass retire_after (floored to at least 24h from now). Omit retire_after and the previous secret stays active indefinitely — both keep signing. The response returns the webhook id and the new signing_secret; store it now, as it is not retrievable later.

POST

orgs

webhooks

rotate-secret

Rotate the signing secret

curl --request POST \
  --url https://v2.prod.halliday.xyz/orgs/webhooks/rotate-secret \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "label": "prod-workflows",
  "retire_after": "2026-07-01T00:00:00.000Z"
}
'

{
  "id": "4f2c…",
  "signing_secret": "d4e5f6…"
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json

label

string

required

Example:

"prod-workflows"

retire_after

string<date-time>

Optional. When the previous signing secret(s) should stop signing. Floored to at least 24h from now. Omit to keep the previous secret active indefinitely (both keep signing).

Example:

"2026-07-01T00:00:00.000Z"

Response

New signing secret issued

string

required

Example:

"4f2c…"

signing_secret

string

required

The new signing secret. Store it now — it is not retrievable later.

Example:

"d4e5f6…"

Update a webhook Workflow status changed