Secret Rotation

Transyt supports zero-downtime secret rotation by maintaining both a current and previous signing secret for each provider account.

How It Works

Each provider account has two secret fields:

signing_secret_current — The active signing secret
signing_secret_previous — The previous secret (used during rotation)

When verifying a webhook signature, Transyt:

Attempts verification with signing_secret_current
If that fails, attempts verification with signing_secret_previous
If both fail, the webhook is rejected

This allows you to rotate secrets without any downtime or missed webhooks.

Rotation Procedure

1. Generate a new secret in your provider’s dashboard

For example, in Stripe, create a new webhook endpoint secret.

2. Update the Transyt account

Move the current secret to signing_secret_previous and set the new secret as signing_secret_current:

curl -X PATCH https://ingest.transyt.com/admin/accounts/{account_id} \
  -H "X-Admin-Token: YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "signing_secret_current": "new-secret-from-provider",
    "signing_secret_previous": "old-secret"
  }'

3. Update the provider’s webhook configuration

Update the webhook endpoint in your provider’s dashboard to use the new secret.

4. Clean up (optional)

Once you’ve confirmed the provider is sending webhooks with the new secret, you can remove the previous secret:

curl -X PATCH https://ingest.transyt.com/admin/accounts/{account_id} \
  -H "X-Admin-Token: YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"signing_secret_previous": null}'

Delivery Secret Rotation

The same pattern applies to delivery secrets (delivery_secret / project_delivery_secret). When rotating delivery secrets, update your consumer application to accept both the old and new secrets during the transition period.