Skip to content
PlugNode
Feature

Webhook secret rotation

Rotate your published flow's webhook secret without downtime. Old secrets stay valid for a grace period so callers can migrate.

  • NewOne-click secret rotation

    Rotate the signing secret for any published flow from the publish panel. No need to unpublish or redeploy.

  • NewGrace period for old secrets

    After rotation, the previous secret stays valid for 24 hours. Callers can update their config without downtime.

  • ImprovedSecret visibility controls

    Secrets are masked by default in the dashboard. Click to reveal, with an auto-hide timer for safety.

Published flows authenticate callers with a signing secret. Now you can rotate that secret without breaking existing integrations.

How it works

Open the publish panel for any published flow and click "Rotate secret." PlugNode generates a new secret immediately. The old secret remains valid for 24 hours, giving callers a window to update their configuration.

After the grace period, the old secret is rejected and only the new one works.

Why this matters

  • Compromised key? Rotate in seconds, not minutes.
  • Team member leaves? Rotate secrets for every flow they had access to.
  • Compliance audit? Scheduled rotation is straightforward: rotate, update the caller, done.

What's next

Automated rotation on a configurable schedule and webhook signature verification helpers for popular languages.