> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ochy.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate webhook signing secret

> Generate a new HMAC-SHA256 signing secret for webhook delivery.

The new `secret` is returned once in this response. Store it securely and update your
webhook receiver to verify future requests with this value.




## OpenAPI

````yaml /openapi.yaml post /webhook/signature/rotate
openapi: 3.0.1
info:
  title: Ochy Partner API
  version: 1.0.0
  description: >
    The Ochy Partner API lets you integrate running biomechanical analysis into
    your application.

    Upload a video of a runner, receive detailed biomechanical metrics, joint
    angles, running style

    classification, and frame-by-frame position data.
servers:
  - url: https://partner-api.ochy-prod.com
    description: Production
security:
  - apiKey: []
paths:
  /webhook/signature/rotate:
    post:
      tags:
        - Webhooks
      summary: Rotate webhook signing secret
      description: >
        Generate a new HMAC-SHA256 signing secret for webhook delivery.


        The new `secret` is returned once in this response. Store it securely
        and update your

        webhook receiver to verify future requests with this value.
      operationId: rotateWebhookSignature
      responses:
        '200':
          description: New webhook signing secret generated.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PartnerWebhookSignatureResponse'
              example:
                enabled: true
                algorithm: HMAC-SHA256
                last4: 7Tq2
                created_at: '2026-03-23T10:45:00Z'
                updated_at: '2026-03-23T11:15:00Z'
                secret: YOUR_NEW_SIGNING_SECRET
        '400':
          description: Signature is not configured yet.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              example:
                detail: Signature has not been configured yet.
                code: signature_not_configured
        '401':
          description: Missing API key.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthErrorResponse'
        '403':
          description: Invalid API key.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthErrorResponse'
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
components:
  schemas:
    PartnerWebhookSignatureResponse:
      type: object
      description: >-
        Webhook signing configuration. The `secret` field is returned only when
        generated or rotated.
      properties:
        enabled:
          type: boolean
          description: Whether Ochy signs webhook requests.
          example: true
        algorithm:
          type: string
          description: Signature algorithm used for webhook requests.
          enum:
            - HMAC-SHA256
          example: HMAC-SHA256
        last4:
          type: string
          description: >-
            Last four characters of the current signing secret, for
            identification.
          example: n6p8
        created_at:
          type: string
          format: date-time
          description: When the current signing secret was created (ISO 8601 UTC).
          example: '2026-03-23T10:45:00Z'
        updated_at:
          type: string
          format: date-time
          description: When the signature configuration was last updated (ISO 8601 UTC).
          example: '2026-03-23T10:45:00Z'
        secret:
          type: string
          description: >-
            Full signing secret. Returned only when generated or rotated; store
            it securely.
          example: YOUR_GENERATED_SIGNING_SECRET
    ErrorResponse:
      type: object
      properties:
        detail:
          type: string
          example: Internal server error
        code:
          type: string
          description: Machine-readable error code (present on some errors).
          example: insufficient_credits
    AuthErrorResponse:
      type: object
      properties:
        detail:
          type: string
          example: API Key is missing
  securitySchemes:
    apiKey:
      type: apiKey
      in: query
      name: apiKey
      description: Your API key, passed as a query parameter on every request.

````