> ## Documentation Index
> Fetch the complete documentation index at: https://docs.easycred.co.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate Webhook Secret



## OpenAPI

````yaml /api-reference/openapi.json post /api/v1/partner/webhooks/{subscriptionId}/rotate-secret
openapi: 3.1.0
info:
  title: EASYCRED Partner API
  version: 1.0.0
  description: >-
    EASYCRED-managed secure partner API. All requests require a Bearer API key
    plus HMAC request signing (X-Signature / X-Timestamp / X-Nonce). No raw
    customer PII is exposed by this version. Signing convention: the HMAC-SHA256
    is computed over method, path, timestamp, nonce and the raw request body.
    For GET requests (and any request with no body) the body component is the
    EMPTY string '' — sign over '' for those requests.
servers:
  - url: https://api.easycred.in
    description: Production
security:
  - bearerAuth: []
paths:
  /api/v1/partner/webhooks/{subscriptionId}/rotate-secret:
    post:
      summary: Rotate Webhook Secret
      parameters:
        - name: X-Signature
          in: header
          required: true
          description: >-
            HMAC-SHA256 signature over method, path, timestamp, nonce and raw
            body.
          schema:
            type: string
        - name: X-Timestamp
          in: header
          required: true
          description: >-
            Unix epoch seconds. Requests outside the tolerance window are
            rejected.
          schema:
            type: string
        - name: X-Nonce
          in: header
          required: true
          description: Unique per-request nonce. Replays are rejected.
          schema:
            type: string
        - name: subscriptionId
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/WebhookSecretResponse'
        '401':
          description: >-
            Authentication failed (missing/invalid key, signature, or replayed
            nonce).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '403':
          description: Authenticated but missing the required scope / product access.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '404':
          description: Resource not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '429':
          description: Rate limit exceeded.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
      security:
        - bearerAuth:
            - webhooks:manage
components:
  schemas:
    WebhookSecretResponse:
      type: object
      description: Returned on rotate-secret. The new plaintext `secret` is shown ONCE.
      properties:
        success:
          type: boolean
          const: true
        data:
          type: object
          properties:
            secret:
              type: string
              description: New HMAC signing secret. Returned exactly once.
          required:
            - secret
      required:
        - success
        - data
    ApiError:
      type: object
      properties:
        success:
          type: boolean
          const: false
        error:
          type: string
      required:
        - success
        - error
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: >-
        API key of the form ec_(live|test)_<prefix>_<secret>. Scopes are listed
        per operation.

````