POST /api/v1/admin/orgs/:slug/webhook-secret/rotate
This page is auto-generated from
src/admin/routes.ts. Do not edit by hand — seedocs/dev/docs-auto-sync.md.
:warning: Heuristic extraction — not a contract. Response shapes below are mined from
c.json(...)literals in the handler via an AST walker. Computed fields, ternaries, and non-literal returns are shown as placeholders. Refer to the linked source file for the authoritative behaviour.
POST /api/v1/admin/orgs/:slug/webhook-secret/rotate
Section titled “POST /api/v1/admin/orgs/:slug/webhook-secret/rotate”Authentication
Section titled “Authentication”Requires the following capability(ies):
webhooks:w
Middleware
Section titled “Middleware”Other middleware observed on this route (heuristic):
requireCapabilityrequireSensitiveOpadminBodyLimit
Description
Section titled “Description”--- Per-org webhook secret (#149 trigger-on-publish) ----------------------
One write surface: rotate. Plaintext is only ever returned in the rotate response; the value is then opaque server-side. Operators who lose the plaintext rotate again. No GET / read surface — the secret is a credential like the org API key, not a config knob. #336 — gated on webhooks:w (rotating the secret is webhook configuration). #411 — also gated on a fresh step-up. Rotating the secret invalidates every prior signature in flight; treat it as a sensitive op requiring a strong factor (passkey or MFA) per the registry default.
Responses
Section titled “Responses”HTTP 404
Section titled “HTTP 404”{ "error": "Org not found"}HTTP 200
Section titled “HTTP 200”{ "secret": <secret>, "rotatedAt": <call>}Source
Section titled “Source”- File:
src/admin/routes.ts - Line: 6083