Rotate a webhook signing secret

Rotate the signing_secret for a specific webhook.

The updated signing secret is returned in the response as part of the full webhook object.

Info

For more information, see Tutorials: Verify the payload signature.

Request

Path parameters
Path parameters

The ID of the webhook.

Header parameters
Header parameters

Example: "Bearer sk_1234567890ABCdefGHIjklMNOpqrSTUvwxYZ_1234567890-Ab_cdeFGHijkLMNopq"

This parameter accepts the Merchant API Secret key to authorise requests coming from the merchant's backend.

It ensures that ensures that each request is authenticated and authorised by verifying the secret key. The secret key should be included in all request headers as a Bearer token.

Info

For more information, see: Authentication

Possible values: [2024-09-01, 2025-10-16, 2025-12-04, 2026-03-12, 2026-04-20]
Example: "2026-04-20"

The version of the Merchant API, specified in YYYY-MM-DD format.

This endpoint is available from version 2024-09-01. If a version earlier than 2024-09-01 is provided, the endpoint returns a 404 response.

If not specified, you will receive an error.

Info

For more information about API versioning, see: API versions.

Request body
Body object

Example: "PT5H30M"

The expiration period of the signing secret in the ISO 8601 format.

If defined, when the signing secret is rotated, it continues to be valid until the expiration period passes.

Otherwise, it is invalidated immediately.

Maximum expiration period is 7 days.

Response

OK

Response body
Body object

The ID of the webhook.

Possible length: <= 2000 characters
Pattern: Value must match regular expression ^https?:\/{2}.+/gi

Your webhook's URL to which event notifications will be sent.

Must be a valid HTTP or HTTPS URL, capable of receiving POST requests.

Caution

Restrictions:

  • Must be a valid URI as defined by RFC 3986
  • URI scheme is required and must be either http or https
  • URI host is required and cannot be localhost or an IP address
  • Max length: 2000
  • Reserved or invalid characters must be percent-encoded (for example, use %20 instead of a space)

Possible values: [ORDER_COMPLETED, ORDER_AUTHORISED, ORDER_CANCELLED, ORDER_FAILED, ORDER_INCREMENTAL_AUTHORISATION_AUTHORISED, ORDER_INCREMENTAL_AUTHORISATION_DECLINED, ORDER_INCREMENTAL_AUTHORISATION_FAILED, ORDER_PAYMENT_AUTHENTICATION_CHALLENGED, ORDER_PAYMENT_AUTHENTICATED, ORDER_PAYMENT_DECLINED, ORDER_PAYMENT_FAILED, SUBSCRIPTION_INITIATED, SUBSCRIPTION_FINISHED, SUBSCRIPTION_CANCELLED, SUBSCRIPTION_OVERDUE, PAYOUT_INITIATED, PAYOUT_COMPLETED, PAYOUT_FAILED, DISPUTE_ACTION_REQUIRED, DISPUTE_UNDER_REVIEW, DISPUTE_WON, DISPUTE_LOST]
Possible number of items: non-empty

List of event types that the webhook is configured to listen to.

Each event is related to status changes of a specific object in the Merchant API:

ObjectEvent types
Order
  • ORDER_COMPLETED
  • ORDER_AUTHORISED
  • ORDER_CANCELLED
  • ORDER_FAILED
  • ORDER_INCREMENTAL_AUTHORISATION_AUTHORISED
  • ORDER_INCREMENTAL_AUTHORISATION_DECLINED
  • ORDER_INCREMENTAL_AUTHORISATION_FAILED
Payment
  • ORDER_PAYMENT_AUTHENTICATION_CHALLENGED
  • ORDER_PAYMENT_AUTHENTICATED
  • ORDER_PAYMENT_DECLINED
  • ORDER_PAYMENT_FAILED
Subscription
  • SUBSCRIPTION_INITIATED
  • SUBSCRIPTION_FINISHED
  • SUBSCRIPTION_CANCELLED
  • SUBSCRIPTION_OVERDUE
Payout
  • PAYOUT_INITIATED
  • PAYOUT_COMPLETED
  • PAYOUT_FAILED
Dispute
  • DISPUTE_ACTION_REQUIRED
  • DISPUTE_UNDER_REVIEW
  • DISPUTE_WON
  • DISPUTE_LOST

The signing secret for the webhook. Use it to verify the signature for the webhook request's payload.
Was this page helpful?