All requests below will use this key. Your API key is sent directly to api.cueapi.ai and never stored by the docs site.
/v1/auth/alert-webhook-secret/regenerateRotate Alert Webhook Secret
Rotate the HMAC-SHA256 secret used to sign alert webhook deliveries. Old secret is invalidated immediately.
Rotates the HMAC-SHA256 secret used for alert webhook delivery. The previous secret is immediately invalidated — any alert receiver still verifying with the old secret will fail.
Warning
Destructive. Requires the X-Confirm-Destructive: true header. Without it, returns 400 confirmation_required. Only rotate when you're ready to update every receiver.
Request
curl -X POST https://api.cueapi.ai/v1/auth/alert-webhook-secret/regenerate \
-H "Authorization: Bearer cue_sk_YOUR_KEY" \
-H "X-Confirm-Destructive: true"Response
{
"alert_webhook_secret": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210",
"previous_secret_revoked": true
}Errors
| Status | Code | Cause |
|---|---|---|
| 400 | confirmation_required | Missing X-Confirm-Destructive: true header |
| 401 | not_authenticated | Missing/invalid bearer token |
Rotate-without-loss pattern
Unlike the cue execution webhook secret, alerts are inherently best-effort and ephemeral — the rotate-without-downtime pattern is simpler:
- Update your alert receiver to compute and accept signatures from both the old secret and a new candidate value.
- Call this endpoint to mint the new secret.
- Watch one alert delivery succeed under the new secret.
- Remove the old secret from your verifier.
If you don't have time for the dual-verifier window, briefly disable alert delivery (clear alert_webhook_url via PATCH /v1/auth/me), rotate, then re-enable.
/v1/auth/alert-webhook-secret/regenerate