whk_ key can
act as your organization, up to whatever that key is scoped for.
The fix is short: revoke it. Everything below is detail around that.
Revoke a leaked key
Open the dashboard
Find the key
Keys are listed by name and by the first few characters of the key itself — enough to tell one
key from another without revealing either.
Rotate without downtime
Revocation takes effect right away, so pulling a key that’s still in use will break whatever is using it. Put the new key in place before you take the old one away:Create the replacement
On the same page, create a key with the same scopes — no more. Copy it now; it’s shown once.
Check the new key works
A The SDKs expose the same call as
200 means the key is valid and carries the scopes you expect:whoami(), and the CLI as wbhk whoami. It confirms the key
is good — not which key your application is sending, since two keys with the same scopes get
identical answers. Make sure your deploy actually picked up the new value before you continue.Revoking a device
A device — a machine you’ve logged into withwbhk login — can mint keys of its own. Revoking a
device cascades to every key minted under it, so if a laptop is lost or a CI runner is
compromised, revoke the device rather than hunting its keys one by one.
Limit the blast radius before it happens
A leaked key is a bad day. A leaked key with
endpoints:write is a worse one.- Scope keys narrowly. A key only ever needs the scopes for the job it does. A read-only
reporting job doesn’t need
events:replay. - One key per consumer. Separate keys for CI, staging, and each service mean you revoke one thing, not everything.
- Keep keys server-side. Never ship a
whk_key to a browser, a mobile app, or anything else a user can read. The SDKs redact keys from their own errors and debug output, but that only helps once the key is already somewhere it belongs. - Read them from the environment.
WEBHOOK_API_KEYin your secret manager, not a literal in source. Most leaked keys are committed keys.
How to tell a real key from a placeholder
Everywhk_ key is exactly 53 characters: the whk_ prefix, 43 random characters, and a 6-character
checksum over those 43. If a string doesn’t have that shape, it was never a working key — so a
whk_YOUR_API_KEY_HERE in a README is nothing to worry about, and a scanner that flags it is wrong.
The checksum means we can reject a malformed or truncated key before it ever reaches a database
lookup. It is error detection, not security: the secret is the 43 random characters.
Reporting a leak you didn’t cause
Found awhk_ key that isn’t yours — in a public repo, a package, a paste? Tell us at
security@webhook.co and we’ll take it from there. Please don’t use the
key to check whether it works.
Security issues in webhook.co itself go through our
security policy.