Skip to content
Hoursmith Docs
Webhooks

Rotate the signing secret

Rotate a webhook endpoint's signing secret in place. There is no dual-signing window, so update your receiver in lockstep with the rotation.

The signing secret authenticates every delivery to your endpoint. Rotate it if it may have been exposed, on a schedule, or if you lost the original (it's only ever shown once at creation).

Before you start
Plan
Agency
Role
OwnerAdmin

You need the Agency plan and an Owner or Admin role. Be ready to update the secret in your receiver immediately after rotating.

There is no dual-signing window. The old secret stops working immediately when you rotate — Hoursmith does not sign with both the old and new secret during a transition. Update your receiver's secret in lockstep with the rotation, or deliveries will fail signature verification until you do.

Rotate the secret

Prepare to update your receiver

Have a way to deploy the new secret to your receiver quickly — ideally by changing an environment variable or secrets-manager entry, not a code change that needs a full release.

Rotate in place

In Settings → Webhooks (hoursmith.app/settings/webhooks), open the endpoint and rotate its signing secret. A new secret is generated and shown once — copy it now. As with creation, only the wsk_... prefix is shown afterward.

Update your receiver immediately

Set the new secret in your receiver's configuration right away. Because there's no overlap window, any delivery signed with the new secret will fail until your receiver uses it.

Send a test and verify

Send a test event from the UI and confirm your endpoint verifies the signature and returns 2xx. If recent live deliveries failed during the switch, replay them once the new secret is in place.

Store the secret in an environment variable or secrets manager — never in source control — so rotating is a config change you can roll out in seconds.

Was this page helpful?

Retries & replay

How Hoursmith delivers webhooks — timeouts, the exponential backoff retry schedule, idempotency, replaying past deliveries, and test events.

Webhooks troubleshooting

Fix common Hoursmith webhook problems — failing endpoints, signature mismatches, timeouts, duplicate events, and secret rotation issues.

On this page

Rotate the secretPrepare to update your receiverRotate in placeUpdate your receiver immediatelySend a test and verify