Skip to content

POST /api/v1/admin/orgs/:slug/webhook-secret/rotate

This page is auto-generated from src/admin/routes.ts. Do not edit by hand — see docs/dev/docs-auto-sync.md.

:warning: Heuristic extraction — not a contract. Response shapes below are mined from c.json(...) literals in the handler via an AST walker. Computed fields, ternaries, and non-literal returns are shown as placeholders. Refer to the linked source file for the authoritative behaviour.

POST /api/v1/admin/orgs/:slug/webhook-secret/rotate

Section titled “POST /api/v1/admin/orgs/:slug/webhook-secret/rotate”

Requires the following capability(ies):

  • webhooks:w

Other middleware observed on this route (heuristic):

  • requireCapability
  • requireSensitiveOp
  • adminBodyLimit

--- Per-org webhook secret (#149 trigger-on-publish) ----------------------

One write surface: rotate. Plaintext is only ever returned in the rotate response; the value is then opaque server-side. Operators who lose the plaintext rotate again. No GET / read surface — the secret is a credential like the org API key, not a config knob. #336 — gated on webhooks:w (rotating the secret is webhook configuration). #411 — also gated on a fresh step-up. Rotating the secret invalidates every prior signature in flight; treat it as a sensitive op requiring a strong factor (passkey or MFA) per the registry default.

{
"error": "Org not found"
}
{
"secret": <secret>,
"rotatedAt": <call>
}
  • File: src/admin/routes.ts
  • Line: 6083