Svix Rotate Endpoint Signing Secret

arazzo: 1.0.1
info:
  title: Svix Rotate Endpoint Signing Secret
  summary: Rotate a webhook endpoint's signing secret and read back the new secret value.
  description: >-
    Webhook signing secrets must be rotated periodically for security. This
    workflow confirms the endpoint exists, rotates its signing secret (letting
    Svix generate a fresh one), and then reads the current secret back so the
    caller can distribute the new value to the receiving service. Every step
    spells out its request inline so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: svixApi
  url: ../openapi/svix-openapi.json
  type: openapi
workflows:
- workflowId: rotate-endpoint-secret
  summary: Rotate an endpoint signing secret and retrieve the new value.
  description: >-
    Fetches the endpoint to confirm it exists, triggers a secret rotation
    (returning 204 No Content), then reads the new signing secret back.
  inputs:
    type: object
    required:
    - appId
    - endpointId
    properties:
      appId:
        type: string
        description: The id or uid of the application owning the endpoint.
      endpointId:
        type: string
        description: The id or uid of the endpoint whose secret is rotated.
  steps:
  - stepId: getEndpoint
    description: >-
      Confirm the target endpoint exists before rotating its secret. Returns 200
      with the endpoint object.
    operationId: v1.endpoint.get
    parameters:
    - name: app_id
      in: path
      value: $inputs.appId
    - name: endpoint_id
      in: path
      value: $inputs.endpointId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      endpointId: $response.body#/id
  - stepId: rotateSecret
    description: >-
      Rotate the endpoint signing secret, letting Svix generate a new value by
      sending a null key. Returns 204 No Content on success.
    operationId: v1.endpoint.rotate-secret
    parameters:
    - name: app_id
      in: path
      value: $inputs.appId
    - name: endpoint_id
      in: path
      value: $steps.getEndpoint.outputs.endpointId
    requestBody:
      contentType: application/json
      payload:
        key: null
    successCriteria:
    - condition: $statusCode == 204
  - stepId: getNewSecret
    description: >-
      Read the endpoint's current signing secret so the rotated value can be
      distributed. Returns 200 with the secret key.
    operationId: v1.endpoint.get-secret
    parameters:
    - name: app_id
      in: path
      value: $inputs.appId
    - name: endpoint_id
      in: path
      value: $steps.getEndpoint.outputs.endpointId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      secret: $response.body#/key
  outputs:
    endpointId: $steps.getEndpoint.outputs.endpointId
    secret: $steps.getNewSecret.outputs.secret