> ## Documentation Index
> Fetch the complete documentation index at: https://docs.webhook.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate a destination's signing secret (returns the new one-time secret)



## OpenAPI

````yaml https://api.webhook.co/openapi.json post /v1/replay-destinations/{destinationId}/signing-secret
openapi: 3.1.0
info:
  title: webhook.co API
  version: 1.0.0
  description: >-
    The webhook.co REST API: create ingest endpoints, inspect captured events,
    manage delivery destinations and subscriptions, and replay events. All
    requests are authenticated with a bearer `whk_` API key. Responses are JSON;
    every successful response is HTTP 200. Errors use a JSON `{error, message}`
    envelope, except 401/403 which are empty-bodied with a WWW-Authenticate
    header.
  license:
    name: Apache-2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
servers:
  - url: https://api.webhook.co
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Endpoints
    description: Create, inspect, and manage ingest endpoints and their secrets.
  - name: Events
    description: Browse, fetch, tail, and replay captured events.
  - name: Deliveries
    description: Observe outbound delivery attempts.
  - name: Replay Destinations
    description: Manage the allowlist of remote delivery destinations.
  - name: Subscriptions
    description: Configure auto-delivery routing rules.
  - name: Audit
    description: Verify the tamper-evident audit chain.
  - name: Identity
    description: Inspect the authenticated principal.
paths:
  /v1/replay-destinations/{destinationId}/signing-secret:
    post:
      tags:
        - Replay Destinations
      summary: Rotate a destination's signing secret (returns the new one-time secret)
      operationId: replayDestinationsRotateSigningSecret
      parameters:
        - name: destinationId
          in: path
          required: true
          schema:
            type: string
            format: uuid
            pattern: >-
              ^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$
      responses:
        '200':
          description: Success.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RotatedSigningSecret'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '429':
          $ref: '#/components/responses/TooManyRequests'
        '500':
          $ref: '#/components/responses/InternalError'
      security:
        - bearerAuth: []
components:
  schemas:
    RotatedSigningSecret:
      type: object
      properties:
        destinationId:
          type: string
          format: uuid
          pattern: >-
            ^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$
        keyId:
          type: string
          format: uuid
          pattern: >-
            ^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$
        signingSecret:
          type: string
      required:
        - destinationId
        - keyId
        - signingSecret
      additionalProperties: false
    Error:
      type: object
      description: The JSON error envelope for capability faults.
      properties:
        error:
          type: string
          description: A stable capability-error code.
        message:
          type: string
          description: A human-readable description.
      required:
        - error
        - message
  responses:
    BadRequest:
      description: The request failed validation.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: >-
        Missing or invalid bearer credential. Empty body; the WWW-Authenticate
        header carries the challenge.
      headers:
        WWW-Authenticate:
          description: RFC 6750 Bearer challenge.
          schema:
            type: string
    Forbidden:
      description: >-
        The credential is valid but lacks the required scope. Empty body;
        WWW-Authenticate carries the challenge.
      headers:
        WWW-Authenticate:
          description: RFC 6750 Bearer challenge.
          schema:
            type: string
    NotFound:
      description: The referenced resource was not found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    TooManyRequests:
      description: A rate limit or soft cap was exceeded.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    InternalError:
      description: An unexpected server error. The body is a plain-text sentinel.
      content:
        text/plain:
          schema:
            type: string
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: opaque
      description: A `whk_`-prefixed API key (opaque; not a JWT).

````