> ## Documentation Index
> Fetch the complete documentation index at: https://usefoil.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate a webhook signing secret

> Requires Authorization: Bearer sk_* with the webhooks:manage scope. The new signing_secret is returned only in this response.



## OpenAPI

````yaml /api-reference/openapi.json post /v1/organizations/{organizationId}/webhooks/endpoints/{endpointId}/rotations
openapi: 3.1.0
info:
  title: Foil API
  version: '2026-03-25'
  description: >-
    Customer-facing Foil server APIs for sessions, visitor fingerprints,
    organizations, and API keys.
servers:
  - url: https://api.usefoil.com
    description: Production
security: []
tags:
  - name: Sessions
    description: Durable session readback endpoints.
  - name: Visitor fingerprints
    description: Durable visitor fingerprint readback endpoints.
  - name: Organizations
    description: Organization lifecycle endpoints.
  - name: API Keys
    description: Organization API key lifecycle endpoints.
  - name: Gate
    description: >-
      Registry, organization-owned services, signup sessions, agent tokens, and
      dashboard login sessions.
  - name: Gate Webhooks
    description: Outbound Gate webhook delivery contracts.
  - name: Webhooks
    description: Manage webhook endpoints, subscriptions, and outgoing event delivery.
  - name: Events
    description: Inspect organization events and their webhook delivery attempts.
paths:
  /v1/organizations/{organizationId}/webhooks/endpoints/{endpointId}/rotations:
    post:
      tags:
        - Webhooks
      summary: Rotate a webhook signing secret
      description: >-
        Requires Authorization: Bearer sk_* with the webhooks:manage scope. The
        new signing_secret is returned only in this response.
      operationId: rotateWebhookEndpointSecret
      parameters:
        - name: organizationId
          in: path
          required: true
          schema:
            $ref: '#/components/schemas/OrganizationId'
            example: org_f6m39y94nh6fs513q03skj929c
        - name: endpointId
          in: path
          required: true
          schema:
            $ref: '#/components/schemas/WebhookEndpointId'
            example: we_0123456789abcdef0123456789abcdef
      responses:
        '201':
          description: Webhook endpoint secret rotated.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/WebhookEndpointResponse'
                example:
                  data:
                    object: webhook_endpoint
                    id: we_0123456789abcdef0123456789abcdef
                    name: Acme Growth Workspace
                    url: https://app.acme.co/signup
                    status: active
                    event_types:
                      - session.fingerprint.calculated
                    signing_secret: whsec_0123456789abcdef0123456789abcdef
                    created_at: '2026-03-24T20:00:00.000Z'
                    updated_at: '2026-03-24T20:00:05.000Z'
                  meta:
                    request_id: req_cf147349a4134208aebb8c70e25fb7e1
        '401':
          description: Missing or invalid API key.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiErrorEnvelope'
                example:
                  error:
                    code: request.validation_failed
                    message: Observation payload failed validation.
                    status: 1
                    retryable: true
                    request_id: req_cf147349a4134208aebb8c70e25fb7e1
                    docs_url: https://app.acme.co/signup
                    details:
                      fields:
                        - name: Acme Growth Workspace
                          issue: required
                          expected: string
                          received: any_of
                      allowed_values:
                        - verified
                      header_name: x-forwarded-for
                      parameter_set: browser_fingerprint
                      next_action: retry
        '403':
          description: Organization access denied or insufficient scope.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiErrorEnvelope'
                example:
                  error:
                    code: request.validation_failed
                    message: Observation payload failed validation.
                    status: 1
                    retryable: true
                    request_id: req_cf147349a4134208aebb8c70e25fb7e1
                    docs_url: https://app.acme.co/signup
                    details:
                      fields:
                        - name: Acme Growth Workspace
                          issue: required
                          expected: string
                          received: any_of
                      allowed_values:
                        - verified
                      header_name: x-forwarded-for
                      parameter_set: browser_fingerprint
                      next_action: retry
        '404':
          description: Webhook endpoint not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiErrorEnvelope'
                example:
                  error:
                    code: request.validation_failed
                    message: Observation payload failed validation.
                    status: 1
                    retryable: true
                    request_id: req_cf147349a4134208aebb8c70e25fb7e1
                    docs_url: https://app.acme.co/signup
                    details:
                      fields:
                        - name: Acme Growth Workspace
                          issue: required
                          expected: string
                          received: any_of
                      allowed_values:
                        - verified
                      header_name: x-forwarded-for
                      parameter_set: browser_fingerprint
                      next_action: retry
      security:
        - BearerAuth: []
components:
  schemas:
    OrganizationId:
      type: string
      pattern: ^org_[0123456789abcdefghjkmnpqrstvwxyz]{26}$
      example: org_f6m39y94nh6fs513q03skj929c
    WebhookEndpointId:
      type: string
      pattern: ^we_[0-9a-f]{32}$
      example: we_0123456789abcdef0123456789abcdef
    WebhookEndpointResponse:
      type: object
      additionalProperties: false
      required:
        - data
        - meta
      properties:
        data:
          $ref: '#/components/schemas/WebhookEndpoint'
          example:
            object: webhook_endpoint
            id: we_0123456789abcdef0123456789abcdef
            name: Acme Growth Workspace
            url: https://app.acme.co/signup
            status: active
            event_types:
              - session.fingerprint.calculated
            signing_secret: whsec_0123456789abcdef0123456789abcdef
            created_at: '2026-03-24T20:00:00.000Z'
            updated_at: '2026-03-24T20:00:05.000Z'
        meta:
          $ref: '#/components/schemas/ResponseMeta'
          example:
            request_id: req_cf147349a4134208aebb8c70e25fb7e1
      example:
        data:
          object: webhook_endpoint
          id: we_0123456789abcdef0123456789abcdef
          name: Acme Growth Workspace
          url: https://app.acme.co/signup
          status: active
          event_types:
            - session.fingerprint.calculated
          signing_secret: whsec_0123456789abcdef0123456789abcdef
          created_at: '2026-03-24T20:00:00.000Z'
          updated_at: '2026-03-24T20:00:05.000Z'
        meta:
          request_id: req_cf147349a4134208aebb8c70e25fb7e1
    ApiErrorEnvelope:
      type: object
      additionalProperties: false
      required:
        - error
      properties:
        error:
          $ref: '#/components/schemas/PublicError'
          example:
            code: request.validation_failed
            message: Observation payload failed validation.
            status: 1
            retryable: true
            request_id: req_cf147349a4134208aebb8c70e25fb7e1
            docs_url: https://app.acme.co/signup
            details:
              fields:
                - name: Acme Growth Workspace
                  issue: required
                  expected: string
                  received: any_of
              allowed_values:
                - verified
              header_name: x-forwarded-for
              parameter_set: browser_fingerprint
              next_action: retry
      example:
        error:
          code: request.validation_failed
          message: Observation payload failed validation.
          status: 1
          retryable: true
          request_id: req_cf147349a4134208aebb8c70e25fb7e1
          docs_url: https://app.acme.co/signup
          details:
            fields:
              - name: Acme Growth Workspace
                issue: required
                expected: string
                received: any_of
            allowed_values:
              - verified
            header_name: x-forwarded-for
            parameter_set: browser_fingerprint
            next_action: retry
    WebhookEndpoint:
      type: object
      additionalProperties: false
      required:
        - object
        - id
        - name
        - url
        - status
        - event_types
        - created_at
        - updated_at
      properties:
        object:
          type: string
          const: webhook_endpoint
          example: webhook_endpoint
        id:
          $ref: '#/components/schemas/WebhookEndpointId'
          example: we_0123456789abcdef0123456789abcdef
        name:
          type: string
          example: Acme Growth Workspace
        url:
          type: string
          format: uri
          example: https://app.acme.co/signup
        status:
          $ref: '#/components/schemas/WebhookEndpointStatus'
          example: active
        event_types:
          type: array
          items:
            $ref: '#/components/schemas/WebhookEventType'
            example: session.fingerprint.calculated
          example:
            - session.fingerprint.calculated
        signing_secret:
          type: string
          description: Returned only when the endpoint is created or its secret is rotated.
          example: whsec_0123456789abcdef0123456789abcdef
        created_at:
          type: string
          format: date-time
          example: '2026-03-24T20:00:00.000Z'
        updated_at:
          type: string
          format: date-time
          example: '2026-03-24T20:00:05.000Z'
      example:
        object: webhook_endpoint
        id: we_0123456789abcdef0123456789abcdef
        name: Acme Growth Workspace
        url: https://app.acme.co/signup
        status: active
        event_types:
          - session.fingerprint.calculated
        signing_secret: whsec_0123456789abcdef0123456789abcdef
        created_at: '2026-03-24T20:00:00.000Z'
        updated_at: '2026-03-24T20:00:05.000Z'
    ResponseMeta:
      type: object
      additionalProperties: false
      required:
        - request_id
      properties:
        request_id:
          $ref: '#/components/schemas/RequestId'
          example: req_cf147349a4134208aebb8c70e25fb7e1
      example:
        request_id: req_cf147349a4134208aebb8c70e25fb7e1
    PublicError:
      type: object
      additionalProperties: false
      required:
        - code
        - message
        - status
        - retryable
        - request_id
      properties:
        code:
          type: string
          x-foil-known-values-ref: '#/components/schemas/KnownPublicErrorCode'
          example: request.validation_failed
        message:
          type: string
          example: Observation payload failed validation.
        status:
          type: integer
          example: 1
        retryable:
          type: boolean
          example: true
        request_id:
          $ref: '#/components/schemas/RequestId'
          example: req_cf147349a4134208aebb8c70e25fb7e1
        docs_url:
          type: string
          format: uri
          example: https://app.acme.co/signup
        details:
          $ref: '#/components/schemas/ApiErrorDetails'
          example:
            fields:
              - name: Acme Growth Workspace
                issue: required
                expected: string
                received: any_of
            allowed_values:
              - verified
            header_name: x-forwarded-for
            parameter_set: browser_fingerprint
            next_action: retry
      example:
        code: request.validation_failed
        message: Observation payload failed validation.
        status: 1
        retryable: true
        request_id: req_cf147349a4134208aebb8c70e25fb7e1
        docs_url: https://app.acme.co/signup
        details:
          fields:
            - name: Acme Growth Workspace
              issue: required
              expected: string
              received: any_of
          allowed_values:
            - verified
          header_name: x-forwarded-for
          parameter_set: browser_fingerprint
          next_action: retry
    WebhookEndpointStatus:
      type: string
      enum:
        - active
        - disabled
      example: active
    WebhookEventType:
      type: string
      enum:
        - session.fingerprint.calculated
        - session.result.persisted
        - gate.session.approved
      example: session.fingerprint.calculated
    RequestId:
      type: string
      pattern: ^req_[0-9a-f]{32}$
      example: req_cf147349a4134208aebb8c70e25fb7e1
    ApiErrorDetails:
      type: object
      properties:
        fields:
          type: array
          items:
            $ref: '#/components/schemas/ApiFieldIssue'
            example:
              name: Acme Growth Workspace
              issue: required
              expected: string
              received: any_of
          example:
            - name: Acme Growth Workspace
              issue: required
              expected: string
              received: any_of
        allowed_values:
          type: array
          items:
            type: string
            example: verified
          example:
            - verified
        header_name:
          type: string
          example: x-forwarded-for
        parameter_set:
          type: string
          example: browser_fingerprint
        next_action:
          type: string
          enum:
            - retry
            - new_session
            - reload_bundle
            - contact_support
          example: retry
      additionalProperties: true
      example:
        fields:
          - name: Acme Growth Workspace
            issue: required
            expected: string
            received: any_of
        allowed_values:
          - verified
        header_name: x-forwarded-for
        parameter_set: browser_fingerprint
        next_action: retry
    ApiFieldIssue:
      type: object
      additionalProperties: false
      required:
        - name
        - issue
      properties:
        name:
          type: string
          example: Acme Growth Workspace
        issue:
          type: string
          example: required
        expected:
          type: string
          example: string
        received:
          anyOf:
            - type: string
              example: '0'
            - type: number
              example: 1.5
            - type: boolean
              example: true
            - type: 'null'
              example: null
          example: any_of
      example:
        name: Acme Growth Workspace
        issue: required
        expected: string
        received: any_of
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: >-
        Send Authorization: Bearer <token>. Gate business endpoints require sk_*
        secret keys. Gate workflow endpoints use gate-native bearer tokens such
        as gtpoll_* or agt_* where documented.

````