Skip to main content
POST
/
webhooks
/
subscriptions
/
{subscription_id}
/
rotate-secret
Rotate the signing secret
curl --request POST \
  --url https://api-sandbox.ledgersyncappv2.com/v3/webhooks/subscriptions/{subscription_id}/rotate-secret \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{}'
{
  "id": "whk_01HXYZ8A6N7K2W9PQ4T5Z3V6E0",
  "url": "<string>",
  "event_types": [
    "connection.requires_action",
    "connection.active",
    "connection.failed",
    "connection.disconnected",
    "connection.capability_changed",
    "account.refresh.completed",
    "account.refresh.failed"
  ],
  "created_at": "2023-11-07T05:31:56Z",
  "signing_secret": "<string>",
  "last_success_at": "2023-11-07T05:31:56Z",
  "last_failure_at": "2023-11-07T05:31:56Z"
}

Authorizations

Authorization
string
header
required

Pass your secret key in the Authorization header as a Bearer token: Authorization: Bearer sk_test_... (sandbox) or Bearer sk_live_... (production).

Keys are created in the developer portal and the plaintext secret is shown exactly once at creation. Treat them like passwords — never embed them in mobile apps or front-end code.

Path Parameters

subscription_id
string
required

Body

application/json

No body. Send Content-Length: 0 so the upstream load balancer doesn't reject the request with 411.

The body is of type object | null.

Response

The new signing secret (returned exactly once).

id
string
required
Example:

"whk_01HXYZ8A6N7K2W9PQ4T5Z3V6E0"

url
string<uri>
required
event_types
string[]
required
Example:
[
"connection.requires_action",
"connection.active",
"connection.failed",
"connection.disconnected",
"connection.capability_changed",
"account.refresh.completed",
"account.refresh.failed"
]
status
enum<string>
required
Available options:
active,
paused,
disabled
created_at
string<date-time>
required
signing_secret
string
required

Plaintext signing secret. Use HMAC-SHA256 with this secret to verify the X-LS-Webhook-Signature header on incoming deliveries. Returned ONCE; store it securely.

last_success_at
string<date-time> | null
last_failure_at
string<date-time> | null