Webhook Config (self-serve)

Webhook URL or secret rotation does not require an ops channel. A partner can call PUT /external/site/webhook-config with its own API key and update the settings directly. The new secret is returned once in the response; if you do not store it, you must rotate again.

Update webhook config

PUT /api/v1/external/site/webhook-config

curl -X PUT "$PIENTEGRA_API_BASE/external/site/webhook-config" \
  -H "Authorization: Bearer $PIENTEGRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "webhookUrl": "https://api.partner.com/pientegra/webhooks",
    "rotateSecret": true
  }'

{
  "webhookUrl": "https://api.partner.com/pientegra/webhooks",
  "webhookSecret": "whsec_NN3hv5lXbE0...",
  "rotatedAt": "2026-04-28T16:00:00.000Z"
}

Body fields

Response fields

Rotation playbook

To move from the old secret to the new one without downtime, keep a short overlap window in your handler:

1. Call PUT /external/site/webhook-config and store the new secret.
2. Verify every incoming webhook with the new secret first, then fall back to the old secret if verification fails.
3. After Pientegra completes in-flight retries that started with the old secret, remove the old secret from the handler. Worst case: 8 attempts x roughly 5 minutes, around a 10-minute window.

For HMAC verification details, see Webhook Security.

Audit

Each rotation emits a SITE.WEBHOOK_CONFIG_ROTATED audit event. A partner or Pientegra ops can check the Audit Log at any time to see who performed the rotation and when. Event metadata includes rotatedSecret: true|false.