Rotate the signing secret
Generate a fresh signing secret. The old one stays valid for a 24-hour grace period so you can deploy your new verifier without dropping a delivery. After that, only the new secret will pass signature checks.
Store the returned signing_secret immediately — same deal
as creation, you only get to see it once.
Empty-body POST
This endpoint takes no request body. Send an explicit
Content-Length: 0 header — Google’s HTTPS load balancer
in front of the API rejects body-less POSTs without one
with 411 Length Required.
Authorizations
Pass your secret key in the Authorization header as a Bearer
token: Authorization: Bearer sk_test_... (sandbox) or
Bearer sk_live_... (production).
Keys are created in the developer portal and the plaintext secret is shown exactly once at creation. Treat them like passwords — never embed them in mobile apps or front-end code.
Path Parameters
Body
No body. Send Content-Length: 0 so the upstream load
balancer doesn't reject the request with 411.
The body is of type object | null.
Response
The new signing secret (returned exactly once).
"whk_01HXYZ8A6N7K2W9PQ4T5Z3V6E0"
[
"connection.requires_action",
"connection.active",
"connection.failed",
"connection.disconnected",
"connection.capability_changed",
"account.refresh.completed",
"account.refresh.failed"
]active, paused, disabled Plaintext signing secret. Use HMAC-SHA256 with this secret
to verify the X-LS-Webhook-Signature header on incoming
deliveries. Returned ONCE; store it securely.
