Rotate webhook secret

Generate a fresh per-action webhook secret and re-issue every URL.

This endpoint requires the Unlimited plan.

POST/api/scripts/{script}/actions/{action}/rotate-secret

Rotate the secret

Every action carries a 40-char secret that's bound into the signed webhook URL stored in the systemd unit on each server. Rotating the secret invalidates every previously-issued URL immediately and queues a re-install on every attached server so the new URL ends up in place.

Watch the status field on each server while the re-install runs — it walks through pending → installed (or failed if something went wrong).

Useful if you suspect a unit file has been read by a third party, or as part of a periodic rotation policy.

Request

POST

/api/scripts/{script}/actions/{action}/rotate-secret

curl -X POST "https://ploi.io/api/scripts/{script}/actions/{action}/rotate-secret" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json"

Response

{
  "data": {
    "id": 1,
    "script_id": 42,
    "trigger": "server.booted",
    "trigger_label": "Server has booted",
    "delay_seconds": 30,
    "is_paused": false,
    "last_triggered_at": "2026-05-13T08:42:11+00:00",
    "servers": [
      { "server_id": 12, "status": "pending", "installed_at": null, "last_error": null }
    ],
    "created_at": "2026-05-12 10:11:22",
    "updated_at": "2026-05-13 09:15:00"
  }
}