Rotate the per-org webhook signing secret
Mint a fresh per-organization HMAC secret used to sign your outgoing
webhooks. Signatures are sent in the X-AmCore-Signature header as
t=<unix>,v1=<hex>, computed over the timestamp, a newline, and the
raw body.
The new secret is returned base64-encoded exactly once. There is no endpoint that reads it back, so store it securely. If you lose it, rotate again.
On rotation the prior secret stays valid for a 5-minute grace window so verifiers mid-cutover can accept signatures from either secret. Outgoing webhooks are always signed with the current secret.
The secret belongs to your authenticated organization. The endpoint takes no organization parameter, so a key for one organization can never rotate another organization's secret.
Requires the org:admin:write scope. Issue this scope on a different API
key from messages:send or messages:read so a compromised data-plane
key cannot invalidate your signing material.
Authenticate by sending your API key as a bearer token:
Authorization: Bearer am_live_.... Every request is automatically
scoped to the organization that owns the key and to the scopes granted
to that key.
In: header
Response Body
application/json
application/json
application/json
curl -X POST "https://example.com/v1/webhook-secret/rotate"{
"webhook_secret": "9f3a2b1c1c2d4e5f9a8b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f",
"rotated_at": "2026-04-26T12:00:00Z",
"previous_valid_until": "2026-04-26T12:05:00Z"
}{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "authentication failed",
"request_id": "01JTBQH2FZ8K1RXC0WJ4Z9P3VM"
}
}{
"success": false,
"error": {
"code": "FORBIDDEN",
"message": "missing required scope",
"request_id": "01JTBQH2FZ8K1RXC0WJ4Z9P3VM"
}
}