v5.52.0 7 June 2026 Fix

Show-Once Webhook Secrets, Telemetry Redaction & a Resurrected Surface

Why This Matters

A signing secret that can be re-read at any time is not a secret, it is a password with good branding. Before this release, the webhook list returned every endpoint’s signing secret on a routine GET, the portal offered a Reveal button, and the platform’s own request telemetry would have stored any secret that crossed it. All three are now closed, in the pre-beta window where a breaking change costs nothing. And the work paid an unexpected dividend: the verification walk discovered the entire webhook management surface had been silently broken for weeks, and fixed it.


Show-Once Signing Secrets

  • Disclosed exactly twice, ever A webhook signing secret now appears at precisely two moments: when the endpoint is created, and when the secret is rotated. Both responses state it plainly: shown once, store it now, it cannot be retrieved again. If a secret is lost, rotation is the recovery path.

  • Identification without disclosure Every read surface (the endpoint list, update responses, the portal) carries secretHint, the last four characters, enough to know which key you are looking at and useless for anything else. The hint is derived inside the database query, so the full secret never even reaches application memory on a read path.

  • The class, not the instance The read-path row validations are now strict about exactly which columns they accept, so a future change that accidentally selects the secret on any read produces a loud failure instead of a silent leak. The same pattern that protects API keys (which were already correct, and served as the model) now protects webhook secrets.

  • In the portal The Reveal button is gone, because there is nothing to reveal. New and rotated secrets appear once in a clearly marked panel with a copy button; dismissing it is final.


Request Telemetry Redaction

  • Credentials can no longer enter the request log The API request log captures request and response bodies for drill-down. Headers were always stripped of credentials; bodies were not, which meant a show-once response passing through the log would have been stored verbatim. Three redundant redaction layers now run before anything is stored: a field-name match that recognises credential fields in any casing or separator style, a suffix rule catching anything ending in secret, password, or token, and value patterns that recognise credential-shaped strings whatever their field is called. Redaction runs before truncation, so a secret cannot survive inside a truncated preview either.

  • Verified with a witness A live test request produced the proof in one row: the stored log entry reads [REDACTED] where the secret was, while the harmless identification hint beside it survived intact and matches the real secret’s tail. A census of the existing log found zero stored credentials before the fix, and the redaction layer keeps that count at zero permanently.


A Resurrected Surface

  • The webhook list and creation had been silently broken The verification walk for this release discovered that webhook management had not worked for weeks: a database identifier type mismatch in the strict row validations meant both listing and creating endpoints failed, and one existing endpoint had been invisible in the portal the entire time. Found by exercising the feature, not by a user report. Fixed in this release: identifiers are now coerced at the boundary, the list renders, creation works, and the lost endpoint is back.

Operational Impact

  • Webhook signing secrets follow the same discipline as API keys: shown once, identified by hint thereafter, recovered by rotation
  • No credential can be stored by the platform’s request telemetry, in any field, under any name
  • Webhook endpoint management works again, including for endpoints created before the breakage
  • Breaking change for API consumers reading secret from the webhook list or update responses: that field is gone from read paths by design, replaced by secretHint. Made now, pre-beta, while the external consumer count is zero

Files Changed

Backend:

  • Webhook endpoint routes: read paths carry the hint, strict per-statement row validation, show-once language on create and rotate, identifier coercion at the boundary
  • Request logging: deep credential redaction before storage
  • API reference: webhook documentation rewritten to state the show-once contract

Frontend / Portal:

  • Developer settings: reveal removed, hint display, show-once panels at create and rotate

Known Issues

  • The pending-cancellation banner copy review for post-trial mid-cycle cancellations (carried from 5.49.0) remains open ahead of 3 September.

Security work that ends with a feature working better than before it started is the right kind. The signing secret you are shown today is the last time anyone, including us, can read it back.