Skip to main content
POST
/
v1
/
webhook_endpoints
/
{endpointId}
/
rotate-secret
Rotate webhook signing secret
curl --request POST \
  --url https://api.mareaalcalina.com/v1/webhook_endpoints/{endpointId}/rotate-secret \
  --header 'Authorization: Bearer <token>'
{
  "endpointId": "mk_we_0123456789abcdef",
  "url": "<string>",
  "description": "<string>",
  "enabled": true,
  "subscribedEvents": [],
  "signingSecretVersion": 2,
  "createdAt": "2023-11-07T05:31:56Z",
  "updatedAt": "2023-11-07T05:31:56Z",
  "lastDeliveryAt": "2023-11-07T05:31:56Z",
  "consecutiveFailures": 1,
  "signingSecret": "<string>"
}

Authorizations

Authorization
string
header
required

Marea API key. mk_dev_* keys are developer-scoped (bootstrap, list users, register webhook). mk_user_* keys are user-scoped (manage that one user's storefronts/products). Scopes: catalog:read, catalog:write, storefront:publish, me:verify, me:resendVerification, developer:bootstrap, developer:read, developer:issueUserKey, developer:webhooks.

Headers

Idempotency-Key
string

Optional client-supplied key. Replays of the same key within 24h return the original response. Recommended for POSTs that mutate billing/inventory.

Maximum string length: 200
Example:

"idem_b2a9f5b9-3e0c-4a5e-b3c2-7a4ce85a6b21"

Accept-Language
string

BCP-47 locale tag for localized error messages (es, en, pt). Defaults to es.

Example:

"es-MX"

Path Parameters

endpointId
string
required

Response

New secret revealed once.

PRD-14 — WebhookEndpoint plus the once-revealed signingSecret. Returned by create + rotate-secret responses only.

endpointId
string
required

Server-generated id (mk_we_ + 16-char lowercase hex).

Pattern: ^mk_we_[0-9a-f]{16}$
Example:

"mk_we_0123456789abcdef"

scope
enum<string>
required

Endpoint owner type. developer endpoints receive lifecycle events for users you bootstrapped plus order events from their storefronts; merchant endpoints receive order events for one storefront.

Available options:
developer,
merchant
url
string<uri>
required

Receiver URL. HTTPS only. Max 2048 chars. SSRF blocklist applies (loopback, private ranges, metadata hosts, .internal, etc).

description
string | null
required
Maximum string length: 256
enabled
boolean
required

When false, the dispatcher skips this endpoint without retiring it.

subscribedEvents
enum<string>[]
required

At least one event subscription is required.

Minimum array length: 1

Enum of webhook event types a WebhookEndpoint may subscribe to. Developer-scope endpoints can subscribe to any value; merchant-scope endpoints are restricted to order.* (PRD-14).

Available options:
user.verified,
user.cancelled,
order.created,
order.status_updated,
order.paid
signingSecretVersion
integer
required

Bumped by one each time the secret is rotated.

Required range: x >= 1
createdAt
string<date-time>
required
updatedAt
string<date-time>
required
lastDeliveryAt
string<date-time> | null
required
lastDeliveryStatus
enum<string> | null
required
Available options:
success,
failure,
null
consecutiveFailures
integer
required
Required range: x >= 0
signingSecret
string
required

Raw 32-byte hex signing secret. Returned ONCE on create + rotate; not readable thereafter. Store immediately.

Pattern: ^[0-9a-f]{64}$