Signing Keys
Signing keys are used to verify the authenticity of webhook payloads sent by Inkbox. Each organization has a single signing key that is used across all webhooks (both mail and phone).
Before you create a signing key, webhooks and WebSocket connections are sent unsigned. Once a key is created, all webhooks and WebSocket upgrades are signed automatically.
The plaintext key is returned only once when created or rotated. Store it securely — it cannot be retrieved again.
Create or rotate signing key POST
POST /signing-keysCreate a new signing key for your organization, or rotate the existing one. On the first call a new key is generated. On subsequent calls the old key is replaced with a fresh one.
Response (201)
JSON| Field | Type | Description |
|---|---|---|
signing_key | string | Plaintext signing key. Store this securely — it is only returned once. |
created_at | string | Timestamp of creation or rotation (ISO 8601) |
Error responses
| Status | Description |
|---|---|
| 403 | Organization ID missing from token |
| 503 | Webhook signing is not configured on the server |
Code examples
cURLUsage
Once you have a signing key, use it to verify incoming webhook payloads. See: