The canonical path is
/api/v2/org/webhook-secret/rotate — the
/org/ segment is required. POST /api/v2/webhook-secret/rotate
(without /org/) does not exist and will return 404.Storage model
Unlike API keys (which Tumban stores only as a SHA-256 hash), the webhook secret is retained in plaintext on the server. Tumban needs the raw value on every webhook delivery to compute the HMAC signature. Because the secret is shown to you exactly once at rotation time and never reappears inGET /api/v2/org/settings, there is no recovery
path — store the value immediately when this endpoint returns it. If
you lose it, rotate again and update every verifier in lockstep.
Permissions
Rotating the webhook secret requires an admin role on a dashboard session. Members and API-key auth are rejected with403.
| Caller | Allowed |
|---|---|
Dashboard session, role=admin | Yes |
Dashboard session, role=member | No — 403 Admin role required |
API key (sk_…) | No — 403 |
Request body
None.Response
The new secret (64-character hex string). Use it to verify the
signature on incoming webhooks. See
Signature verification.
ISO 8601 UTC timestamp.
Example
Using the dashboard
Rotate the secret
In the Webhook Secret tile, click Rotate Secret. The
description on the tile explains: “Used to verify incoming
webhook payloads. Rotating immediately invalidates the old secret
— update your server before rotating.”
Non-admins do not see the Rotate Secret control.