# Rotate the webhook signing key

**POST** `/webhooks/signing-keys/rotate`

Generates a new signing key for webhook deliveries and demotes the previous
active key to "expiring" with a 24h overlap. During the overlap, both
keys are valid signers; receivers can update at their own pace.
Returns the plaintext of the newly-generated key exactly once.

Authentication: bearerAuth
Required scopes: `webhook:update`
Allowed roles: `owner`, `admin`
Authorization: Rotate a webhook signing key.

## Responses

- `200`: New key generated; plaintext returned exactly once
- `default`: Error