Get Webhook Secret

Retrieve your organization's webhook signing secret. This is a public, authenticated endpoint you can use to verify the `Sync-Signature` header on generation and batch webhook deliveries: Sync signs the raw JSON request body as HMAC-SHA256 over `${timestamp}.${rawBody}` and sends it as `Sync-Signature: t=<unix>,v1=<hmac_sha256>`. Store the full `whsec_...` value securely. `masked=true` returns a display-only value; do not use it as a verification secret. The same secret is available on the [webhooks settings page](https://sync.so/settings/webhooks).

Authentication

x-api-keystring
API Key authentication via header

Query parameters

maskedbooleanOptionalDefaults to false

When true, returns a display-only masked version of the secret that must not be used as a verification secret. Omit or set false when configuring a webhook verifier so you get the usable value.

Response

Webhook secret retrieved successfully
secretstring

The webhook signing secret, prefixed with whsec_. When the request sets masked=true, this is a display-only masked value and must not be used to verify signatures.

Errors

401
Unauthorized Error
500
Internal Server Error