Skip to main content
POST
/
v1
/
{workspace}
/
ws_signing_key
/
{signing_key_uid}
/
roll
/
Roll Workspace Signing Key
curl -X POST "https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/{signing_key_uid}/roll/" \
  --header 'Authorization: ServiceToken <SERVICE_TOKEN>' \
  --header 'Content-Type: application/json'

{
  "id": "ws_signk_exampleId02",
  "uid": "signing_key_exampleUid02",
  "status": "active",
  "allowed_domains": null,
  "expiry_at": null,
  "private_key_pem": "-----BEGIN PRIVATE KEY-----\n...redacted...\n-----END PRIVATE KEY-----\n",
  "private_key_base64": "LS0tLS1CRUdJTi...redacted...",
  "created_at": "2026-04-21T12:37:46.216734Z",
  "created_by": {
    "name": "System User",
    "email": "org_XXXXXXXXXXXXXXXXXXXXXX@systemuser.suprsend.com"
  },
  "rolled_at": null,
  "rolled_by": null,
  "deleted_at": null,
  "deleted_by": null
}

Authorizations

ServiceToken <token>
string
header
required

You can get Service Token from SuprSend dashboard -> Account Settings -> Service Tokens section.

Path Parameters

workspace
string
required

Workspace slug (e.g. staging, production).

signing_key_uid
string
required

Signing key uid to roll (e.g. signing_key_...).

Response

Signing key rolled. A new signing key is created and its private key material is returned once.

Signing key used to verify signed payloads.

id
string

Unique identifier of the signing key.

Example:

"ws_signk_exampleId01"

uid
string

Signing key uid used in path parameters for roll/delete.

Example:

"signing_key_exampleUid01"

status
enum<string>

Status of the signing key.

Available options:
active,
rolled
allowed_domains
string[] | null

Domains allowed to use this signing key.

expiry_at
string<date-time> | null

Timestamp when the signing key expires.

created_at
string<date-time>

Timestamp when the signing key was created.

created_by
object

Identity that performed an action (created, updated, rolled, deleted, rotated).

rolled_at
string<date-time> | null

Timestamp when the signing key was rolled.

rolled_by
object

Identity that performed an action (created, updated, rolled, deleted, rotated).

deleted_at
string<date-time> | null

Timestamp when the signing key was deleted.

deleted_by
object

Identity that performed an action (created, updated, rolled, deleted, rotated).

private_key_pem
string

PEM-encoded private key. Returned only at creation and on roll - store it securely and never commit to source control.

Example:

"-----BEGIN PRIVATE KEY-----\n...redacted...\n-----END PRIVATE KEY-----\n"

private_key_base64
string

Base64-encoded private key. Returned only at creation and on roll.

Example:

"LS0tLS1CRUdJTi...redacted..."