Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kash.bot/llms.txt

Use this file to discover all available pages before exploring further.

HTTP status: 429 · Title: “Rotation cooldown active”

When it fires

POST /v1/auth/api-keys/me/webhook-secret/rotate was called within the 60-second cooldown that follows a previous successful rotation.

Why the cooldown exists

This is the most important error to read carefully — the cooldown is not a rate-limit, it is a rollback-safety guard. Every successful rotation moves the previous secret into webhook_secret_previous so operations can roll back within 7 days if the rotation breaks the customer’s verifier. If you rotate twice in quick succession, the second rotation overwrites that rollback slot with the FIRST rotation’s brand-new secret — a secret you may have never actually received in your response (e.g., the first POST timed out, your HTTP client retried, and the new plaintext from the first attempt was lost in flight). Rolling back later would restore a secret no verifier was ever configured for. The cooldown forces this dangerous case into a visible 429 instead of silently corrupting the rollback guarantee.

How to fix

  • If you successfully captured the new secret from the previous rotation: wait for the Retry-After window to expire and call again. The cooldown is per-key, so other keys are unaffected.
  • If you did NOT capture the new secret from the previous rotation (network timeout, lost response, dropped connection): do not retry. Contact support so we can rotate via an operator path that preserves the rollback chain. Re-rotating yourself would replace webhook_secret_previous with the secret you never received, breaking the only recovery path.

Response headers

  • Retry-After: <seconds> — how long to wait before re-attempting (computed from the prior rotation’s timestamp).