Rotating a webhook's secret

Rotating a webhook's secret in Global Commerce is an essential security measure ensuring the integrity and confidentiality of your webhooks. This process allows you to replace an existing webhook's secret with a new one, safeguarding your application against unauthorized access and potential security risks. By routinely updating webhook secrets, you enhance your security posture and maintain the trustworthiness of your service integration. Whether you suspect a compromise or are rotating secrets as a precautionary measure, Global Commerce provides a straightforward method to manage this process, including options for immediate replacement or a grace period for transition. This guide outlines the steps to safely and effectively rotate a webhook's secret in Global Commerce.

Secret rotation is necessary in several scenarios, including but not limited to:

When you rotate a webhook's secret in Global Commerce, you are presented with several Expiration Time options. These options determine when the new secret will become active and when the old secret will be invalidated. Here's what each option means:

• Immediately: The new secret is activated, and the old one becomes invalid. This is the best option if you suspect a compromise and need to secure your webhook immediately.

• 1 Hour: There's a one-hour grace period before the new secret is activated. Use this if you need a short window to update your systems without interrupting services.

• 3 Hours, 6 Hours, 12 Hours: These options provide longer grace periods, which are useful if multiple systems need the new secret and more time to update them all.

• 24 Hours: This option gives you a full day to transition to the new secret, minimizing the risk of service disruption for more complex integration setups.

Choosing the right expiration time depends on your operational requirements and the urgency of the secret rotation. For immediate security concerns, "Immediately" ensures the fastest protection. For planned rotations, choosing a longer duration allows for a smoother update process across your infrastructure without service interruption.

You can maintain up to five secrets per webhook. To rotate a webhook's secret:

1. Sign in to Global Commerce.

2. Select Administration, and then click Webhook Service. The Webhook Service page appears.

3. Find the webhook with the secret you want to rotate and click the Rotate Secret link. The Reveal Secret dialog appears.

4. Choose an expiration option from the Expiration Time list. Your options are Immediately, 1 Hour, 3 Hours, 6 Hours, 12 Hours, or 24 Hours.

5. Provide your Global Commerce username and click Rotate. Note that the Username field is case-sensitive. Click Reveal Secret if you want to see the new secret token.

After you rotate a webhook's secret in Global Commerce, follow these steps to ensure a smooth transition: