# Rotate Webhook Secret

> POST /webhooks/:id/rotate — replace the signing secret for a webhook.

`POST /webhooks/:id/rotate`

Rotates the signing secret for a webhook, invalidating the old secret immediately. Use this if your current secret has been compromised or as part of a regular credential rotation policy. The new plaintext secret is returned **once** in this response — store it securely before the request completes.

**Path parameters**

| Name | Type | Required | Description |
| --- | --- | --- | --- |
| `id` | string | Yes | The webhook id. |

**Node.js**

```js
import { MailBlastr } from 'mailblastr';

const mb = new MailBlastr('mb_xxxxxxxxx');

const { data, error } = await mb.webhooks.rotate('4dd369bc-aa82-4ff3-97de-514ae3000ee0');
console.log({ data, error });
```

**Ruby**

```ruby
require "mailblastr"

Mailblastr.api_key = "mb_xxxxxxxxx"

Mailblastr::Webhooks.rotate("4dd369bc-aa82-4ff3-97de-514ae3000ee0")
```

**PHP**

```php
$mailblastr = Mailblastr::client('mb_xxxxxxxxx');

$mailblastr->webhooks->rotate('4dd369bc-aa82-4ff3-97de-514ae3000ee0');
```

**Python**

```python
import mailblastr

mailblastr.api_key = "mb_xxxxxxxxx"

mailblastr.Webhooks.rotate("4dd369bc-aa82-4ff3-97de-514ae3000ee0")
```

**Go**

```go
package main

import (
    "fmt"
    "io"
    "net/http"
)

func main() {
    req, _ := http.NewRequest("POST", "https://api.mailblastr.com/webhooks/4dd369bc-aa82-4ff3-97de-514ae3000ee0/rotate", nil)
    req.Header.Set("Authorization", "Bearer mb_xxxxxxxxx")
    res, _ := http.DefaultClient.Do(req)
    defer res.Body.Close()
    out, _ := io.ReadAll(res.Body)
    fmt.Println(string(out))
}
```

**Rust**

```rust
use reqwest::Client;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let res = Client::new()
        .post("https://api.mailblastr.com/webhooks/4dd369bc-aa82-4ff3-97de-514ae3000ee0/rotate")
        .header("Authorization", "Bearer mb_xxxxxxxxx")
        .send()
        .await?;
    println!("{}", res.text().await?);
    Ok(())
}
```

**Java**

```java
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

var client = HttpClient.newHttpClient();
var request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.mailblastr.com/webhooks/4dd369bc-aa82-4ff3-97de-514ae3000ee0/rotate"))
    .header("Authorization", "Bearer mb_xxxxxxxxx")
    .method("POST", HttpRequest.BodyPublishers.noBody())
    .build();
var response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
```

**.NET**

```csharp
using System.Net.Http;
using System.Text;

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://api.mailblastr.com/webhooks/4dd369bc-aa82-4ff3-97de-514ae3000ee0/rotate");
request.Headers.Add("Authorization", "Bearer mb_xxxxxxxxx");
var response = await client.SendAsync(request);
Console.WriteLine(await response.Content.ReadAsStringAsync());
```

**cURL**

```bash
curl -X POST 'https://api.mailblastr.com/webhooks/4dd369bc-aa82-4ff3-97de-514ae3000ee0/rotate' \
  -H 'Authorization: Bearer mb_xxxxxxxxx'
```

**CLI**

```bash
mailblastr webhooks rotate 4dd369bc-aa82-4ff3-97de-514ae3000ee0
```

### Response

```json
{
  "object": "webhook",
  "id": "4dd369bc-aa82-4ff3-97de-514ae3000ee0",
  "signing_secret": "whsec_xxxxxxxxxx"
}
```

> **Warning:** The new `signing_secret` is only returned here, at rotation. The old secret stops working immediately. Store the new value securely — it cannot be retrieved again.
