# Rotate webhook signing secret Issues a new signing secret, demotes the existing current to previous for a 24-hour overlap window, and returns the new plaintext value. The plaintext is returned only here; store it immediately. During the overlap window outgoing webhooks are signed with both secrets: the X-Webhook-Signature header carries two v1= entries, so receivers that verify with either secret keep accepting deliveries. Returns 409 if a previous secret is still within its overlap window; end it via deleteChannelPreviousWebhookSecret before rotating again. Only valid for channels with kind=webhook; otherwise returns 400. Endpoint: POST /channels/{channel_id}/webhook-secrets/actions/rotate Version: 0.23.20 Security: Auth ## Path parameters: - `channel_id` (string, required) Unique identifier (UUID) of the channel. Example: "550e8400-e29b-41d4-a716-446655440000" ## Response 200 fields (application/json): - `current` (object, required) The newly issued signing secret, now used for all new outgoing webhooks. - `current.mask` (string, required) Masked form of a webhook signing secret: the vilna_whsec_ prefix, four obfuscation bullets, and the last 4 characters of the random body. Safe to display in UIs for identifying a secret without exposing it ("is the right secret stored on my side?"). - `current.created_at` (string, required) Timestamp when the resource was created. - `current.expires_at` (string) The moment after which this secret will no longer sign new outgoing webhooks. Set only when this secret occupies the previous slot. - `previous` (object) The secret that was just demoted to the previous slot, retained for the 24-hour overlap. Absent when this rotation issued the channel's first secret. - `secret` (string, required) Plaintext form of the new current secret. Store it immediately in your secrets manager; if lost, rotate again. ## Response 400 fields (application/problem+json): - `type` (string, required) A URI that identifies the error type. Open it in a browser to read about this category of error. Example: "https://docs.vilna.io/apis/problems/invalid-request" - `title` (string, required) A short summary of the error type. Use detail for information specific to this occurrence. Example: "Invalid Request" - `status` (integer, required) The HTTP status code for this error. Matches the status code of the HTTP response. Example: 400 - `detail` (string) A human-readable explanation of what went wrong in this specific case. May be localized. Example: "Validation error" - `instance` (string) A URI that identifies this specific error occurrence. Include this value when contacting support. - `code` (string, required) Stable machine-readable error code ({domain}.{reason}) for programmatic error handling. Unlike the HTTP status or free-form detail, this code is guaranteed not to change between versions for a given error condition, so it is safe to branch on in client code. Defaults to unspecified when the server has not assigned a specific code. Example: "blockchain.name_too_long" - `fields` (array) List of invalid fields in the request - `fields.name` (string, required) The name of the invalid field Example: "meta" - `fields.reason` (string, required) Why this field is invalid Example: "Exceeded maximum data size — must not exceed 1000 characters" ## Response 401 fields (application/problem+json): - `type` (string, required) A URI that identifies the error type. Open it in a browser to read about this category of error. Example: "https://docs.vilna.io/apis/problems/unauthorized" - `title` (string, required) A short summary of the error type. Use detail for information specific to this occurrence. Example: "Unauthorized" - `status` (integer, required) The HTTP status code for this error. Matches the status code of the HTTP response. Example: 401 - `detail` (string) A human-readable explanation of what went wrong in this specific case. May be localized. Example: "Missing or invalid authentication credentials" - `instance` (string) A URI that identifies this specific error occurrence. Include this value when contacting support. - `code` (string, required) Stable machine-readable error code ({domain}.{reason}) for programmatic error handling. Unlike the HTTP status or free-form detail, this code is guaranteed not to change between versions for a given error condition, so it is safe to branch on in client code. Defaults to unspecified when the server has not assigned a specific code. Example: "auth.unauthorized" ## Response 403 fields (application/problem+json): - `type` (string, required) A URI that identifies the error type. Open it in a browser to read about this category of error. Example: "https://docs.vilna.io/apis/problems/forbidden" - `title` (string, required) A short summary of the error type. Use detail for information specific to this occurrence. Example: "Forbidden" - `status` (integer, required) The HTTP status code for this error. Matches the status code of the HTTP response. Example: 403 - `detail` (string) A human-readable explanation of what went wrong in this specific case. May be localized. Example: "You do not have permission to perform this action" - `instance` (string) A URI that identifies this specific error occurrence. Include this value when contacting support. - `code` (string, required) Stable machine-readable error code ({domain}.{reason}) for programmatic error handling. Unlike the HTTP status or free-form detail, this code is guaranteed not to change between versions for a given error condition, so it is safe to branch on in client code. Defaults to unspecified when the server has not assigned a specific code. Example: "chain.not_allowed" ## Response 404 fields (application/problem+json): - `type` (string, required) A URI that identifies the error type. Open it in a browser to read about this category of error. Example: "https://docs.vilna.io/apis/problems/not-found" - `title` (string, required) A short summary of the error type. Use detail for information specific to this occurrence. Example: "Not Found" - `status` (integer, required) The HTTP status code for this error. Matches the status code of the HTTP response. Example: 404 - `detail` (string) A human-readable explanation of what went wrong in this specific case. May be localized. Example: "The requested resource was not found" - `instance` (string) A URI that identifies this specific error occurrence. Include this value when contacting support. - `code` (string, required) Stable machine-readable error code ({domain}.{reason}) for programmatic error handling. Unlike the HTTP status or free-form detail, this code is guaranteed not to change between versions for a given error condition, so it is safe to branch on in client code. Defaults to unspecified when the server has not assigned a specific code. Example: "blockchain.not_found" ## Response 409 fields (application/problem+json): - `type` (string, required) A URI that identifies the error type. Open it in a browser to read about this category of error. Example: "https://docs.vilna.io/apis/problems/conflict" - `title` (string, required) A short summary of the error type. Use detail for information specific to this occurrence. Example: "Conflict" - `status` (integer, required) The HTTP status code for this error. Matches the status code of the HTTP response. Example: 409 - `detail` (string) A human-readable explanation of what went wrong in this specific case. May be localized. Example: "Resource already exists with the same identifier" - `instance` (string) A URI that identifies this specific error occurrence. Include this value when contacting support. - `code` (string, required) Stable machine-readable error code ({domain}.{reason}) for programmatic error handling. Unlike the HTTP status or free-form detail, this code is guaranteed not to change between versions for a given error condition, so it is safe to branch on in client code. Defaults to unspecified when the server has not assigned a specific code. Example: "invoice.address_occupied" ## Response default fields (application/problem+json): - `type` (string, required) A URI that identifies the error type. Open it in a browser to read about this category of error. - `title` (string, required) A short summary of the error type. Use detail for information specific to this occurrence. - `status` (integer, required) The HTTP status code for this error. Matches the status code of the HTTP response. - `detail` (string) A human-readable explanation of what went wrong in this specific case. May be localized. - `instance` (string) A URI that identifies this specific error occurrence. Include this value when contacting support. - `code` (string, required) Stable machine-readable error code ({domain}.{reason}) for programmatic error handling. Unlike the HTTP status or free-form detail, this code is guaranteed not to change between versions for a given error condition, so it is safe to branch on in client code. Defaults to unspecified when the server has not assigned a specific code.