Rotate a destination’s signing secret without a window where your receiver rejects good traffic. Rotation mints a new secret while the previous one keeps verifying during a bounded overlap — you cut the receiver over inside that window.
Rotate — the new secret is shown once
wbhk replay-destinations rotate-secret <destination-id>
# → new signing secret (shown once): whsec...
# the previous secret keeps verifying during a brief overlap.
Add the new secret to your receiver, alongside the old
During the overlap, both secrets validate — the delivery carries both signatures, space-delimited. Configure your Standard Webhooks verifier to accept either so in-flight deliveries signed with the old key still pass while you deploy.
Cut over, then drop the old secret
Once the receiver is deployed and verifying the new secret, remove the old one from your verifier. Confirm nothing is failing verification before you do.wbhk replay-destinations list-secrets <destination-id>
wbhk deliveries list --destination <destination-id> --status failed,dead
The overlap is bounded — treat it as your deploy window, not an indefinite dual-key mode. Rotate
again if you miss it; the old secret simply stops verifying when the window closes.