API · Platform · Webhooks
Rotate the webhook secret.
Issue a new HMAC signing secret for a webhook endpoint and return it exactly once in secret. Use it for routine credential hygiene (annual rotation, post-incident response, after a deploy that may have leaked secrets to logs) without changing the endpoint URL or re-subscribing to events.
Grace window - The previous secret remains valid for 60 seconds after rotation, then is permanently rejected. This window lets a deploy of the new secret roll through your fleet without delivery failures during the cutover. Plan rotations so the new secret is fully deployed before the 60s mark. - Deliveries during the grace window may arrive signed with either secret — verify against both. After the window, only the new secret will produce valid signatures.
Prerequisites - Webhook endpoint must be enabled. Disabled endpoints reject rotation with 409 endpoint_disabled — re-enable first or just delete and recreate.
Returns 200 OK with the endpoint resource and the new plaintext secret. Idempotent via Idempotency-Key. See idempotency.
See also: Webhooks API overview.
Last updated
Response Body
application/json
application/problem+json
application/problem+json
application/problem+json
Request
curl -X POST "https://api.mattermode.com/v1/webhook_endpoints/{id}/rotate_secret"fetch("https://api.mattermode.com/v1/webhook_endpoints/{id}/rotate_secret", { method: "POST"})package mainimport ( "fmt" "net/http" "io/ioutil")func main() { url := "https://api.mattermode.com/v1/webhook_endpoints/{id}/rotate_secret" req, _ := http.NewRequest("POST", url, nil) res, _ := http.DefaultClient.Do(req) defer res.Body.Close() body, _ := ioutil.ReadAll(res.Body) fmt.Println(res) fmt.Println(string(body))}import requestsheaders = { "Authorization": "Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc", "Matter-Version": "2026-06-10", "Idempotency-Key": "ee7c3a9b-3f1a-4d8e-9b2a-7c5e1f0a2d4b",}resp = requests.post( "https://api.mattermode.com/v1/webhook_endpoints/whe_N7kFvY5j/rotate_secret", headers=headers,)resp.raise_for_status()print(resp.json())import java.net.URI;import java.net.http.HttpClient;import java.net.http.HttpRequest;import java.net.http.HttpResponse;import java.net.http.HttpResponse.BodyHandlers;import java.time.Duration;HttpClient client = HttpClient.newBuilder() .connectTimeout(Duration.ofSeconds(10)) .build();HttpRequest.Builder requestBuilder = HttpRequest.newBuilder() .uri(URI.create("https://api.mattermode.com/v1/webhook_endpoints/{id}/rotate_secret")) .POST() .build();try { HttpResponse<String> response = client.send(requestBuilder.build(), BodyHandlers.ofString()); System.out.println("Status code: " + response.statusCode()); System.out.println("Response body: " + response.body());} catch (Exception e) { e.printStackTrace();}using System;using System.Net.Http;using System.Text;var client = new HttpClient();var response = await client.PostAsync("https://api.mattermode.com/v1/webhook_endpoints/{id}/rotate_secret");var responseBody = await response.Content.ReadAsStringAsync();curl --request POST 'https://api.mattermode.com/v1/webhook_endpoints/whe_N7kFvY5j/rotate_secret' \ --header 'Authorization: Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc' \ --header 'Matter-Version: 2026-06-10' \ --header 'Idempotency-Key: ee7c3a9b-3f1a-4d8e-9b2a-7c5e1f0a2d4b'const response = await fetch("https://api.mattermode.com/v1/webhook_endpoints/whe_N7kFvY5j/rotate_secret", { method: "POST", headers: { "Authorization": "Bearer sk_test_4eC39HqLyjWDarjtT1zdp7dc", "Matter-Version": "2026-06-10", "Idempotency-Key": "ee7c3a9b-3f1a-4d8e-9b2a-7c5e1f0a2d4b", },});if (!response.ok) { throw new Error(`Matter API ${response.status}: ${await response.text()}`);}const data = await response.json();console.log(data);Response
application/json{
"id": "string",
"object": "webhook_endpoint",
"url": "https://your.app/webhooks/matter",
"description": "string",
"enabled_events": [
"string"
],
"api_version": "2026-04-25",
"include": [
"data.object"
],
"signing_secret": "string",
"status": "enabled",
"last_delivery": {},
"metadata": {},
"created": 1745539200,
"updated": 1745539200,
"livemode": false
}{
"type": "https://mattermode.com/docs/errors/invalid_request",
"title": "Invalid request",
"status": 400,
"code": "invalid_request",
"detail": "Request body could not be parsed as JSON.",
"doc_url": "https://mattermode.com/docs/guides/errors#invalid_request",
"request_id": "req_Qw9xYz8A"
}{
"type": "https://mattermode.com/docs/errors/authentication_required",
"title": "Authentication required",
"status": 401,
"code": "authentication_required",
"detail": "No bearer token was supplied. Pass `Authorization: Bearer sk_live_...` on every request.",
"doc_url": "https://mattermode.com/docs/guides/errors#authentication_required",
"request_id": "req_Qw9xYz8A"
}{
"type": "https://mattermode.com/docs/errors/rate_limit_exceeded",
"title": "Rate limit exceeded",
"status": 429,
"code": "rate_limit_exceeded",
"detail": "Request rate exceeded for this key. Retry after `retry_after` seconds or honor the `Retry-After` header.",
"doc_url": "https://mattermode.com/docs/guides/errors#rate_limit_exceeded",
"request_id": "req_Qw9xYz8A",
"retry_after": 30
}