Rotate webhook secret

Generate a new signing secret for a webhook subscription.

How it works:

A new secret is generated and becomes active immediately
The old secret remains valid for 24 hours (grace period)
During the grace period, deliveries include BOTH signatures (comma-separated in X-Aura-Signature)
After the grace period, only the new secret is used

Response includes:

old_secret - Previous secret (for verifying in-flight deliveries)
new_secret - New secret (active immediately)
grace_period_ends_at - When the old secret expires

Recommended flow:

Call this endpoint
Update your verification code to accept both secrets
After the grace period, remove old secret from your code

Authorization

Path Parameters

idstring

Webhook subscription ID (UUID)

Formatuuid

Response Body

application/json

curl -X POST "https://api.aura-app.ai/v1/webhooks/550e8400-e29b-41d4-a716-446655440000/rotate-secret"

curl -X POST "https://api.aura-app.ai/v1/webhooks/550e8400-e29b-41d4-a716-446655440000/rotate-secret"

{
  "success": true,
  "old_secret": "abc123...",
  "new_secret": "def456...",
  "rotated_at": "2026-03-21T08:00:00Z",
  "grace_period_ends_at": "2026-03-22T08:00:00Z"
}

{
  "success": false,
  "error": "Webhook subscription not found",
  "code": "WEBHOOK_NOT_FOUND"
}

Rotate webhook secret

Authorization

Path Parameters

Response Body

200application/json

404application/json

application/json

application/json