Generate or update the secret key for a webhook signature
This call returns the newly-generated secret key. When the subscription for which you’ve generated the key is triggered, the signature appears in the X-ol-signature header, encrypted in Base64 and prepended with v1,.
The signature displayed in the webhook’s header information
Update a subscription’s secret keys
If your organization experiences a security event, you might need to update your secret keys. To do this, run this API call.
Zero downtime secret rotation
When you update a subscription, it takes time for a webhook recipient to process secret key changes. If a webhook is sent before the key change is processed, the recipient could reject a valid webhook because it expects an obsolete key.
As a solution, Orange Logic webhook signatures allow for zero downtime secret rotation, where the webhook sends both the old signature and the new signature while the recipient processes the key change. Both signatures appear in the x-ol-signature header. The old signature is prepended with v1, and the new signature is prepended with v1a,.
The old and updated signatures in the webhook header
By default, Orange Logic sends both signatures for one hour after the key is changed, but you can customize the secret key rotation time period in the Configure Modules Advanced Configuration.
For more technical information about zero downtime secret rotation, refer to Github’s documentation on standard webhooks.