Business API
Rotate a webhook signing secret

Rotate a webhook signing secret

Rotate a signing secret for a specific webhook.

For more information, see the guides: About webhooks and Manage webhooks.

Access Token

Each Business API request must contain an authorization header in the following format to make a call: Bearer <your_access_token>.

The access token will be obtained the first time you set up your application and has an expiration of 40 minutes. During setup, a refresh_token will also be obtained which allows to obtain a new access_token.


Never share your client-assertion JWT (JSON web token), access_token and refresh_token with anyone, as these can be used to access your banking data and initiate transactions.

Access tokens can be issued with four security scopes and require a JWT (JSON Web Token) signature to be obtained:

  • READ: Permissions for GET operations.

  • WRITE: Permissions to update counterparties, webhooks, and issue payment drafts.

  • PAY: Permissions to initiate or cancel transactions and currency exchanges.

  • READ_SENSITIVE_CARD_DATA: Permissions to retrieve sensitive card details.


    If you enable the READ_SENSITIVE_CARD_DATA scope for your access token, you must set up IP whitelisting. Failing to do so will prevent you from accessing any Business API endpoint.

    IP whitelisting means that you must specify an IP or a set of IPs which will be the only IPs from which requests to the API will be accepted. To do so:

    1. In the Revolut Business app, select the corresponding API certificate.
    2. In Production IP whitelist, provide the IP(s) which should be whitelisted, and save.

To configure your JWT and obtain the refresh and first access tokens, complete the following steps:

  1. Sign up for a Revolut Business account
  2. Prepare your Sandbox environment
  3. Make your first API request


Webhook signing secret rotation request

Path Parameters
Path Parameters

The ID of the webhook for which to rotate the secret.

Request body
Body object

Possible values: <= P7D

Default value: P0D

The expiration period for the signing secret in ISO 8601 format. If set, when you rotate the secret, it continues to be valid until the expiration period has passed. Otherwise, on rotation, the secret is invalidated immediately. The maximum value is 7 days.


The details of the webhook for which you rotated the signing secret

Response body
Body object

The ID of the webhook.

The valid webhook URL that event notifications are sent to. The supported protocol is https.

Possible values: [TransactionCreated, TransactionStateChanged, PayoutLinkCreated, PayoutLinkStateChanged]

The list of event types that you are subscribed to.

The signing secret for the webhook.

Was this page helpful?