LogoLogo
System Status
  • Commerce API
    • Test and use cases
    • Roles and permissions
    • Sending API calls
  • Shopper APIs
    • Shopper basics
      • Common use cases
        • Creating a customer
        • Applying store credit
        • Private store workflow
        • Guest checkout
    • OAuth
      • Authentication
      • OAuth 2.0 APIs
      • Token
      • Access tokens
      • Session-aware access tokens
      • Authorizing a shopper
    • Shoppers
      • Managing shoppers
        • User management
        • Single sign-on (SSO)
        • Data validation
        • Bulk user management
        • Bulk user account export
      • Managing a shopper's account
      • Managing a shopper's address
      • Managing payment options
    • Product discovery
      • Categories
      • Products
      • Product variations
      • Pricing
      • Inventory status
      • Financing
      • Offers
        • Understanding offers
        • How to use point of promotions (POPs)
          • Retrieving all point of promotion offers for a specific product
          • Retrieving all offers for a specific point of promotion
        • How to use offers
      • Private stores
        • Managing private stores
        • Submitting an order for a private store
        • Useful APIs
      • Fulfillment
        • Electronic Fulfillment Service (OFI)
        • Digital rights
        • Digital rights revocation
        • Physical fulfillment
          • EDI X12 832 definition data elements
          • EDI X12 846 definition data elements
          • EDI X12 850 definition data elements
          • EDI X12 855 definition data elements
          • EDI X12 856 definition data elements
          • EDI X12 180-1 definition data elements
          • EDI X12 180-2 definition of data elements
          • EDI X12 180-3 definition of data elements
    • Cart
      • Applying a shopper to a cart
      • Getting the current cart
      • Creating or updating a cart
        • Adding a product to a cart
          • Gifting
        • Capturing the customer's IP address
        • Providing address information
        • Managing the shipping or billing address
        • Providing subscription information
        • Managing payment methods
        • Capturing the Terms of Sale (TOS) acceptance
      • Managing offers in a cart
        • Applying an offer
        • Applying a coupon or promo code
        • Getting all applied offers
        • Removing an applied offer
        • Removing eligible offers
        • Reconciling conflicting offers
        • Dynamic offers/personalization
          • Skipping Global Commerce merchandising offer arbitration
          • Triggering a promotional URL offer
          • Overriding a promotional URL offer discount
      • Pricing
        • Landed cost
          • Mixed cart support
          • Tax-included pretty price
      • Redirecting to a Digital River-hosted cart
      • Configuring taxes
        • Managing tax identifiers
      • Managing shipping options
        • Getting shipping options
        • Providing a shipping discount
      • Managing line items
      • Applying a price override
      • Managing payment sessions
      • Managing web checkout
      • Submitting a cart
        • Initiating a charge
        • Authorization declines
      • Resuming cart submission
      • HGOP2
    • Orders
      • Getting orders
      • Selling entities
      • Retrieving addresses from an order
      • Retrieving line items from an order
      • Order lookup
      • Returns
        • Initiate an authenticated session
        • Setting up returns in Global Commerce
        • Managing returns
    • Subscriptions
      • Retrieve the subscription
        • Getting all orders for a subscription
        • Getting a subscription's pending actions
        • Getting all subscriptions for a shopper
        • Getting a subscription by identifier
      • Update subscription at the next renewal
        • Changing the subscription renewal type
        • Changing the subscription renewal quantity
        • Adding or updating a perpetual unit price
        • Changing the subscription's payment option
        • Changing the subscription's payment source
      • Immediately change the subscription
        • Updating the subscription's shipping address
        • Updating a subscription's billing and shipping email address
        • Cancelling a subscription
      • Immediately apply a midterm subscription change
        • Reducing the subscription renewal quantity
  • Admin APIs
    • Admin basics
      • Available Admin API calls
    • Order management
      • Getting the order's details
      • Downloading the invoice
    • Offer management
    • Refund management
      • Authorization
      • Refund reason codes
      • Creating a satisfaction refund
      • Getting the available refunds for a specific order
      • Getting refunds for a specific order
      • Getting refunds available for a shopper's order
      • Getting the JSON schema for an order refund
      • Managing a refund for a delayed payment method
      • Refund error scenarios
    • Subscription management
      • Retrieve the subscription
        • Getting all orders for a subscription
        • Getting a subscription's pending actions
        • Getting all subscriptions for a shopper
        • Getting a subscription by identifier
      • Update the subscription at the next renewal
        • Changing the subscription renewal type
        • Changing the subscription renewal product
        • Changing the subscription renewal price
        • Changing the subscription renewal quantity
        • Adding or updating a perpetual unit price
        • Changing the subscription's payment option
        • Changing the subscription's payment source
      • Immediately change the subscription
        • Activating a subscription
        • Changing the subscription's external reference identifier
        • Updating a subscription's billing and shipping email address
        • Cancelling a subscription
        • Updating the subscription's expiration date
      • Immediately apply a midterm subscription change
        • Applying a midterm change with price override
        • Reducing the subscription renewal quantity
      • Subscription notifications
        • Updating the subscriber's email address
        • Card Account Updater
        • Sending a payment information change notification
        • Sending an expired credit card notification
        • Sending an invalid payment account notification
        • Sending a payment failure notification
        • Sending a subscription renewal reminder notification
        • Setting up subscription renewal reminders
        • Setting up trial subscription renewal reminders
        • Setting up marketing reminders
      • Using the Expired Card Optimizer
    • Customer management
      • Retrieving customer details
      • Requesting PII removal for a customer
    • Site management
      • Configuring authorized shipping and billing countries
      • Getting a site's authorized billing countries
      • Getting a site's authorized shipping countries
    • Product management
      • Getting started
      • Manage products (asynchronous API)
        • Creating or updating a product
        • Adding or updating a product variation
        • Deploying a product
        • Applying live changes
        • Retiring a product
        • Deleting a product variation
        • Deleting a base or individual product's locale
      • Retrieve products (synchronous API)
        • Getting a product by locale
        • Getting a product variation
        • Getting a product variation by locale
      • Get the task status for a product (synchronous API)
        • Getting the latest information on a product task
        • Retrieving the tasks for a specific product
        • Retrieving the tasks for products
      • Bulk operation
        • Asynchronous bulk operations
          • Creating products in bulk
          • Updating products in bulk
          • Deploying products in bulk
          • Deleting product variations in bulk
        • Bulk product upload (BPU)
        • Bulk Product Export (BPE)
          • Line-item level satisfaction refund
          • Order-level satisfaction refund
          • Auto-created line-item level return product
          • Line-item level return product
    • File management
      • Downloading a file
  • Payments
    • Payments solutions
      • Drop-in payments
        • How Drop-in payments work
        • Drop-in payments integration guide
      • DigitalRiver.js with Elements
        • Elements integration guide
        • Configuring payment methods
          • Configuring Afterpay
          • Configuring Alipay+ (cross-border)
          • Configuring Alipay (domestic)
          • Configuring Amazon Pay
          • Configuring Apple Pay
          • Configuring Bancontact
          • Configuring BLIK
          • Configuring Boleto
          • Configuring CCAvenue
          • Configuring Clearpay
          • Configuring Credit Cards
          • Configuring FPX Online Banking
          • Configuring Google Pay
          • Configuring iDEAL
          • Configuring Klarna
          • Configuring Konbini
          • Configuring Online Banking (IBP)
          • Configuring Online Banking (Korea Bank Transfer)
          • Configuring PayCo
          • Configuring PayPal
          • Configuring SEPA Direct Debit
          • Configuring Trustly
          • Configuring Wire Transfer
          • Common payment sources
          • Common payment objects
    • Supported payment methods
      • Afterpay
      • Alipay (domestic)
      • Alipay+ (cross-border)
      • Amazon Pay
      • Apple Pay
      • Bancontact
      • BLIK
      • Boleto
      • CCAvenue
      • Clearpay
      • Credit Cards
      • FPX Online Banking
      • Google Pay
      • iDEAL
      • Klarna
      • Konbini
      • Korea Bank Transfer (Online Banking)
      • Online Banking (IBP)
      • PayCo
      • PayPal
      • PayPal Billing Agreement
      • PayPal Credit
      • PayPal Pay in 3
      • PayPal Pay in 4
      • PayPal RatenZahlung (Installment Payment)
      • SEPA Direct Debit
      • Trustly
      • Wire Transfer
    • Source basics
      • Managing sources
      • Handling credit card sources
      • Retrieving sources
    • Building payment workflows
      • Flows by payment type
      • Handling redirect payment methods
    • PSD2 and SCA
    • Payment testing scenarios
      • Testing standard payment methods
      • Testing redirect payment methods
      • Testing receiver payment methods
      • Testing the CCAvenue payment method
  • Events
    • Events overview
    • Responding to events
    • Event types
      • Delayed payment event types
        • Delayed payment expired event
          • Boleto
          • Konbini
          • Wire Transfer
        • Delayed payment reminder event
          • Boleto
          • Konbini
          • Wire Transfer
      • Subscription event types
        • Subscription created event
        • Subscription updated event
        • Subscription action processed event
        • Subscription cancelled event
        • Subscription credit card expired event
        • Subscription payment information changed event
        • Subscription renewal reminder event
        • Subscription renewed event
        • Subscription trial converted event
        • Subscription trial renewal reminder event
        • Subscription payment failed event
      • Post-order event types
        • Invoice created event
        • Refund credit memo event
      • Inventory event types
        • Inventory out of stock event
        • Inventory source and management
        • Inventory self-managed updated event
        • Inventory fulfiller-managed updated event
      • Post-order Notification Integration Guide
    • Webhooks
      • Commerce API safelist
      • Searching for a webhook
      • Creating a webhook
      • Using webhooks
      • Editing a webhook
      • Turning webhooks on or off
      • Revealing a webhook's secret
      • Rotating a webhook's secret
      • Viewing the webhook details
      • Deleting a webhook
  • Developer Resources
    • Postman collection
    • Commerce API references
    • Shopper APIs reference
    • Admin APIs reference
    • DigitalRiver.js reference
      • Including DigitalRiver.js
      • Initializing DigitalRiver.js
      • DigitalRiver object
      • Elements
        • Amazon Pay element
        • Apple Pay elements
        • Google Pay elements
        • IBAN element
        • iDEAL element
        • Konbini elements
        • Compliance element
        • Offline refund element
        • Online Banking elements
        • Tax Identifier element
        • Delayed payment instructions element
        • PayPal elements
      • Guidelines for capturing payment details
      • Security
      • Digital River payment objects
      • Error types, codes, and objects
  • General resources
    • Global Commerce
    • Global Commerce
      • Company hierarchy
      • Categories
        • Getting a list of categories
      • Products
        • Product scenarios
        • Individual products
          • Creating an individual product
        • Base product with variants
          • Creating a base product with variants
        • Bundle offers
          • Creating a prorated bundle offer with a subscription
        • Product combination
          • Creating a product combination
        • Gifting
        • Inventory status
      • Customer service
        • Log a shopper's request to remove PII
      • Customers
        • Creating a customer
        • Digital River-maintained customer login
        • Client-maintained customer login
      • Transparent Commerce purchase flow
    • eCompass
    • eCompass documentation
    • Release notes
      • 2024
      • 2024 latest
      • 2023
      • 2022
      • 2021
      • 2020
Powered by GitBook
On this page

Was this helpful?

  1. Events
  2. Webhooks

Rotating a webhook's secret

Learn how to rotate a webhook's secret.

PreviousRevealing a webhook's secretNextViewing the webhook details

Last updated 5 months ago

Was this helpful?

Rotating a webhook's secret in Global Commerce is an essential security measure ensuring the integrity and confidentiality of your webhooks. This process allows you to replace an existing webhook's secret with a new one, safeguarding your application against unauthorized access and potential security risks. By routinely updating webhook secrets, you enhance your security posture and maintain the trustworthiness of your service integration. Whether you suspect a compromise or are rotating secrets as a precautionary measure, Global Commerce provides a straightforward method to manage this process, including options for immediate replacement or a grace period for transition. This guide outlines the steps to safely and effectively rotate a webhook's secret in Global Commerce.

Secret rotation is necessary in several scenarios, including but not limited to:

1

Suspected compromise

If you suspect that your webhook's secret has been compromised, rotating it immediately helps protect against unauthorized access.

2

Routine security measures

As part of regular security hygiene, rotating secrets periodically reduce the risk of being discovered or misused.

3

Changes in integration

When significant changes occur in the systems or applications integrated with your Global Commerce webhooks, it's prudent to rotate secrets to ensure only authorized systems can communicate.

4

Policy compliance

Many organizations have policies requiring regular rotation of secrets to comply with industry standards and regulations.

When you rotate a webhook's secret in Global Commerce, you are presented with several Expiration Time options. These options determine when the new secret will become active and when the old secret will be invalidated. Here's what each option means:

  • Immediately: The new secret is activated, and the old one becomes invalid. This is the best option if you suspect a compromise and need to secure your webhook immediately.

  • 1 Hour: There's a one-hour grace period before the new secret is activated. Use this if you need a short window to update your systems without interrupting services.

  • 3 Hours, 6 Hours, 12 Hours: These options provide longer grace periods, which are useful if multiple systems need the new secret and more time to update them all.

  • 24 Hours: This option gives you a full day to transition to the new secret, minimizing the risk of service disruption for more complex integration setups.

Choosing the right expiration time depends on your operational requirements and the urgency of the secret rotation. For immediate security concerns, "Immediately" ensures the fastest protection. For planned rotations, choosing a longer duration allows for a smoother update process across your infrastructure without service interruption.

You can maintain up to five secrets per webhook. To rotate a webhook's secret:

  1. Sign in to .

  2. Select Administration, and then click Webhook Service. The Webhook Service page appears.

  3. Find the webhook with the secret you want to rotate and click the Rotate Secret link. The Reveal Secret dialog appears.

  4. Choose an expiration option from the Expiration Time list. Your options are Immediately, 1 Hour, 3 Hours, 6 Hours, 12 Hours, or 24 Hours.

  5. Provide your Global Commerce username and click Rotate. Note that the Username field is case-sensitive. Click if you want to see the new secret token.

After you rotate a webhook's secret in Global Commerce, follow these steps to ensure a smooth transition:

1

Update your systems

Immediately update all systems, applications, and integrations that use the webhook with the new secret to ensure uninterrupted service.

2

Test the webhook

Perform thorough testing to confirm that your systems can successfully receive and process webhook events using the new secret.

3

Monitor for issues

Monitor your webhook's logs and system notifications for any errors or irregularities that may indicate problems with the secret rotation.

4

Retire the old secret

Once you're confident that the new secret is working as expected and the grace period (if any) has passed, ensure no systems are still using it before it becomes invalid.

Global Commerce
Reveal Secret