> ## Documentation Index
> Fetch the complete documentation index at: https://docs.agribackup.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate the HMAC-SHA256 Signing Secret for a Webhook

> Regenerate the HMAC-SHA256 signing secret for a webhook subscription. The new secret is returned once and must be stored immediately.

Generates a new HMAC-SHA256 signing secret for the specified webhook subscription and invalidates the previous secret immediately. Use this endpoint if a secret is compromised, lost, or requires rotation as part of your security policy.

<Warning>
  The new `signingSecret` is returned **only once** in the response to this call. Store it immediately in a secrets manager. After rotating, update your signature verification logic to use the new secret — payloads signed with the old secret will fail validation instantly.
</Warning>

## Rotation Procedure

To rotate a webhook secret safely without dropping events:

1. Call this endpoint to generate the new secret.
2. Store the new secret alongside the old one in your secrets store temporarily.
3. Update your webhook handler to accept signatures verified by either secret during a brief transition window.
4. Once you confirm all in-flight payloads have been processed, remove the old secret from your handler.

<CodeGroup>
  ```python Python theme={null}
  import requests

  webhook_id = "wh_12345"
  headers = {"X-API-Key": "sk_live_YOUR_API_KEY"}

  response = requests.post(
      f"https://live.agribackup.com/api/v1/enterprise/eudr/webhooks/{webhook_id}/rotate-secret",
      headers=headers,
  )
  new_secret = response.json()
  print(new_secret)
  ```

  ```javascript Node.js theme={null}
  const webhookId = "wh_12345";
  const response = await fetch(
    `https://live.agribackup.com/api/v1/enterprise/eudr/webhooks/${webhookId}/rotate-secret`,
    {
      method: "POST",
      headers: { "X-API-Key": "sk_live_YOUR_API_KEY" },
    }
  );
  const newSecret = await response.json();
  console.log(newSecret);
  ```

  ```bash cURL theme={null}
  curl -X POST \
    "https://live.agribackup.com/api/v1/enterprise/eudr/webhooks/wh_12345/rotate-secret" \
    -H "X-API-Key: sk_live_YOUR_API_KEY"
  ```
</CodeGroup>


## OpenAPI

````yaml post /api/v1/enterprise/eudr/webhooks/{webhookId}/rotate-secret
openapi: 3.0.1
info:
  title: AgriBackup Enterprise EUDR API
  description: >-
    # Introduction


    AgriBackup is the cryptographic compliance engine for EU-bound commodity
    imports. Built on Deterministic Logic, Immutable Evidence, and
    High-Throughput Ingestion, our API provides Tier-1 enterprise routing for EU
    Deforestation Regulation (EUDR).


    ## The Integration Vector

    To integrate this Digital Trust Layer into your ERP, you must execute the
    following sequence:

    1. **Authentication:** Generate your `X-API-Key` from the client dashboard.

    2. **Telemetry:** Register your webhook URLs via `POST /webhooks`.

    3. **Ingestion:** Push your GeoJSON polygons via `POST /polygons`.

    4. **Logistics:** Lock the batch to a shipment via `POST /shipments/link`.


    ## Asynchronous Architecture

    Because satellite deforestation screening and Hedera DLT anchoring take
    time, ingestion endpoints return a `202 Accepted`. You must listen for the
    corresponding Webhook to confirm cryptographic execution.


    ## Base URLs

    * **Production:** `https://live.agribackup.com`

    * **Sandbox:** `https://sandbox.agribackup.com`
  contact:
    name: AgriBackup Architecture Team
    url: https://agribackup.com
    email: contact@agribackup.com
  license:
    name: Proprietary
    url: https://agribackup.com/terms
  version: v1.0
servers:
  - url: https://live.agribackup.com
    description: Production (Mainnet)
  - url: https://sandbox.agribackup.com
    description: Sandbox (Testnet)
security: []
tags:
  - name: Enterprise Risk Management
  - name: Enterprise Clearance Webhooks
    description: Asynchronous status receivers for TRACES NT
  - name: Enterprise Jobs
    description: Query status and metrics of asynchronous compliance jobs
  - name: Enterprise Suppliers
  - name: Enterprise Diagnostics
    description: Monitor API health, consensus ledger, and satellite systems availability
  - name: Enterprise Suppliers
    description: Map internal ERP vendor IDs to EU Operator UUIDs
  - name: Enterprise Webhooks
    description: Register endpoints for asynchronous compliance events
  - name: Enterprise Archival
    description: Endpoints for bulk compliance archiving and auditor extensibility
  - name: Enterprise Logistics
    description: Smart contract linking of batches to logistics shipments
  - name: Enterprise Declarations
    description: DDS generation with legal land tenure proofs
  - name: Enterprise Batches
  - name: Enterprise API Keys
  - name: Enterprise Diagnostics
  - name: Enterprise Logistics
  - name: Enterprise Jobs
  - name: Enterprise Evidence
    description: Cryptographic evidence ledger anchored on Hedera Hashgraph
  - name: Enterprise Declarations
  - name: Enterprise Credentials
  - name: Enterprise Evidence
  - name: Enterprise Risk Management
    description: Pre-assessment of country risk and satellite deforestation probabilities
  - name: Enterprise Batches
    description: Programmatic batch ingestion and management
  - name: Enterprise Polygons
  - name: Introduction
  - name: Enterprise Polygons
    description: Programmatic polygon ingestion and verification
  - name: Enterprise Archival
  - name: Enterprise Credentials
    description: Programmatic ingestion of vault-secured enterprise secrets
  - name: Enterprise API Keys
    description: Endpoints for managing B2B API Keys (Requires standard JWT login)
  - name: Enterprise Webhooks
paths:
  /api/v1/enterprise/eudr/webhooks/{webhookId}/rotate-secret:
    post:
      tags:
        - Enterprise Webhooks
      summary: Rotate Webhook Secret
      description: >-
        Regenerates and returns a new HMAC-SHA256 signing secret for the
        specified webhook subscription.
      operationId: rotateSecret
      parameters:
        - name: webhookId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: OK
          headers:
            X-RateLimit-Limit:
              description: >-
                The maximum number of requests you're permitted to make per
                hour.
              schema:
                type: integer
                format: int32
            X-RateLimit-Remaining:
              description: >-
                The number of requests remaining in the current rate limit
                window.
              schema:
                type: integer
                format: int32
            X-RateLimit-Reset:
              description: >-
                The time at which the current rate limit window resets in UTC
                epoch seconds.
              schema:
                type: integer
                format: int32
          content:
            '*/*':
              schema:
                type: object
      security:
        - ApiKeyAuth: []
      x-codeSamples:
        - lang: Python
          source: >-
            import agribackup

            from agribackup.rest import ApiException


            # Initialize Client

            configuration =
            agribackup.Configuration(host="https://live.agribackup.com/api/v1")

            configuration.api_key['ApiKeyAuth'] = 'sk_live_YOUR_API_KEY'


            with agribackup.ApiClient(configuration) as api_client:
                try:
                    api_instance = agribackup.EnterpriseWebhooksApi(api_client)
                    response = api_instance.rotate_secret()
                    print(response)
                except ApiException as e:
                    print("Exception when calling API: %s\n" % e)
        - lang: Node.js
          source: |-
            import { AgriBackupClient } from '@agribackup/sdk';

            // Initialize Client
            const client = new AgriBackupClient({
              apiKey: 'sk_live_YOUR_API_KEY',
              baseUrl: 'https://live.agribackup.com/api/v1'
            });

            async function execute() {
              try {
                const response = await client.webhooks.rotateSecret();
                console.log(response);
              } catch (error) {
                console.error(error);
              }
            }
        - lang: Java
          source: |-
            import com.agribackup.client.*;
            import com.agribackup.client.api.*;
            import com.agribackup.client.model.*;

            public class Example {
                public static void main(String[] args) {
                    ApiClient defaultClient = Configuration.getDefaultApiClient();
                    defaultClient.setBasePath("https://live.agribackup.com/api/v1");
                    defaultClient.setApiKey("sk_live_YOUR_API_KEY");

                    EnterpriseWebhooksApi apiInstance = new EnterpriseWebhooksApi(defaultClient);
                    try {
                        Object result = apiInstance.rotateSecret();
                        System.out.println(result);
                    } catch (ApiException e) {
                        System.err.println("Exception when calling API: " + e.getResponseBody());
                    }
                }
            }
        - lang: C#
          source: |-
            using System;
            using System.Threading.Tasks;
            using AgriBackup.SDK.Api;
            using AgriBackup.SDK.Client;
            using AgriBackup.SDK.Model;

            class Program {
                static async Task Main() {
                    Configuration config = new Configuration();
                    config.BasePath = "https://live.agribackup.com/api/v1";
                    config.AddApiKey("ApiKeyAuth", "sk_live_YOUR_API_KEY");

                    var apiInstance = new EnterpriseWebhooksApi(config);
                    try {
                        var result = await apiInstance.RotateSecretAsync();
                        Console.WriteLine(result);
                    } catch (ApiException e) {
                        Console.WriteLine("Exception when calling API: " + e.Message);
                    }
                }
            }
components:
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      description: Enterprise API Key provided via the AgriBackup developer console.
      name: X-API-Key
      in: header

````