Skip to main content
POST
/
v1
/
{workspace}
/
ws_signing_key
/
{signing_key_uid}
/
roll
/
Roll Workspace Signing Key
curl -X POST "https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/" \
  --header 'Authorization: ServiceToken <SERVICE_TOKEN>' \
  --header 'Content-Type: application/json'
import requests

url = "https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/"

headers = {"ServiceToken <token>": "<api-key>"}

response = requests.post(url, headers=headers)

print(response.text)
const options = {method: 'POST', headers: {'ServiceToken <token>': '<api-key>'}};

fetch('https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/', options)
.then(res => res.json())
.then(res => console.log(res))
.catch(err => console.error(err));
<?php

$curl = curl_init();

curl_setopt_array($curl, [
CURLOPT_URL => "https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_HTTPHEADER => [
"ServiceToken <token>: <api-key>"
],
]);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
package main

import (
"fmt"
"net/http"
"io"
)

func main() {

url := "https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/"

req, _ := http.NewRequest("POST", url, nil)

req.Header.Add("ServiceToken <token>", "<api-key>")

res, _ := http.DefaultClient.Do(req)

defer res.Body.Close()
body, _ := io.ReadAll(res.Body)

fmt.Println(string(body))

}
HttpResponse<String> response = Unirest.post("https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/")
.header("ServiceToken <token>", "<api-key>")
.asString();
require 'uri'
require 'net/http'

url = URI("https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request["ServiceToken <token>"] = '<api-key>'

response = http.request(request)
puts response.read_body
{
  "id": "ws_signk_exampleId02",
  "uid": "signing_key_exampleUid02",
  "status": "active",
  "allowed_domains": null,
  "expiry_at": null,
  "private_key_pem": "-----BEGIN PRIVATE KEY-----\n...redacted...\n-----END PRIVATE KEY-----\n",
  "private_key_base64": "LS0tLS1CRUdJTi...redacted...",
  "created_at": "2026-04-21T12:37:46.216734Z",
  "created_by": {
    "name": "System User",
    "email": "org_XXXXXXXXXXXXXXXXXXXXXX@systemuser.suprsend.com"
  },
  "rolled_at": null,
  "rolled_by": null,
  "deleted_at": null,
  "deleted_by": null
}
{
"code": 401,
"error_code": "authentication_failed",
"type": "AuthenticationFailed",
"message": "Invalid service token.",
"detail": "Invalid service token."
}
{
"code": 404,
"error_code": "not_found",
"type": "NotFound",
"message": "workspace 'demo' not found",
"detail": "workspace 'demo' not found"
}

Authorizations

ServiceToken <token>
string
header
required

You can get Service Token from SuprSend dashboard -> Account Settings -> Service Tokens section.

Path Parameters

workspace
string
required

Workspace slug (e.g. staging, production).

signing_key_uid
string
required

Signing key uid to roll (e.g. signing_key_...).

Response

Signing key rolled. A new signing key is created and its private key material is returned once.

Signing key used to verify signed payloads.

id
string

Unique identifier of the signing key.

Example:

"ws_signk_exampleId01"

uid
string

Signing key uid used in path parameters for roll/delete.

Example:

"signing_key_exampleUid01"

status
enum<string>

Status of the signing key.

Available options:
active,
rolled
allowed_domains
string[] | null

Domains allowed to use this signing key.

expiry_at
string<date-time> | null

Timestamp when the signing key expires.

created_at
string<date-time>

Timestamp when the signing key was created.

created_by
object | null

Identity that performed an action (created, updated, rolled, deleted, rotated).

rolled_at
string<date-time> | null

Timestamp when the signing key was rolled.

rolled_by
object | null

Identity that performed an action (created, updated, rolled, deleted, rotated).

deleted_at
string<date-time> | null

Timestamp when the signing key was deleted.

deleted_by
object | null

Identity that performed an action (created, updated, rolled, deleted, rotated).

private_key_pem
string

PEM-encoded private key. Returned only at creation and on roll - store it securely and never commit to source control.

Example:

"-----BEGIN PRIVATE KEY-----\n...redacted...\n-----END PRIVATE KEY-----\n"

private_key_base64
string

Base64-encoded private key. Returned only at creation and on roll.

Example:

"LS0tLS1CRUdJTi...redacted..."