Rotate Webhook Secret
Rotate the HMAC signing secret for a webhook endpoint. The new secret is returned once.
Authorizations
Send the credential as Authorization: Bearer <key>.
Scoped partner credentials use the exclusive nxsk_v1_... namespace.
Each scoped key is bound at issuance to one organization, one canonical
named environment, an explicit engine set, and a least-privilege
capability set. A malformed, unknown, rotated, or revoked nxsk_ key
fails closed and is never retried as a legacy key.
Capabilities used by this API are runs:write, runs:read,
engines:read, catalog:read, webhooks:manage,
runs:defensibility:read, runs:test, and converse:use. Operation
descriptions name the required capability.
Grandfathered nx_live_... and nx_test_... keys retain their existing
broad access during the compatibility window.
Path Parameters
Webhook endpoint UUID.
Response
New secret generated.
Endpoint identifier.
New signing secret (whsec_...). Displayed only once.
live-v1 overlaps for 24 hours; sandbox-v1 for five minutes.
live-v1, sandbox-v1 Exact instant when the previous secret stops being valid.