How-to
Rotate webhook secret
Zero-downtime rotation of your codingassist.bot webhook signing secret.
codingassist.bot signs every outbound webhook with HMAC-SHA256. Rotating the secret keeps your verification key fresh without dropping deliveries.
Procedure
Generate a new secret
From Settings → Webhooks click Rotate. codingassist.bot generates a new secret and starts signing with both the old and the new (overlap window: 24 h).
Update your verifier
Deploy your service with the new secret as
WEBHOOK_SECRET_NEXT(keeping the old asWEBHOOK_SECRET). Verify against either.const ok = verify(req.body, sigHeader, env.WEBHOOK_SECRET) || verify(req.body, sigHeader, env.WEBHOOK_SECRET_NEXT);Promote the new secret
After your overlap window, swap
WEBHOOK_SECRET = WEBHOOK_SECRET_NEXTand remove the old. codingassist.bot will stop signing with the old secret 24 h after rotation.
Related
Was this page helpful?