Webhook keys
Webhook keys help your receiving tool trust that a webhook delivery came from Atomicat. Keys are long-lived secrets, so store them in a password manager or secret vault, not in screenshots or chat logs.
Open the modal​
- Go to Form webhook delivery or Quiz webhook delivery.
- Click API key management in the header.
The key area follows the type of webhook you are managing. Form webhooks and quiz webhooks may use separate keys.
Read the guidance​
The product explains that your receiving tool should use the key to validate webhook deliveries. A secondary note reminds you to keep the key private and rotate it if exposure is suspected.
Generate or rotate​
- If no key exists yet, the primary button reads Generate API key.
- After a key exists, the same button becomes Regenerate API key, which invalidates the previous secret when the server accepts the rotation.
- A loading state shows Generating while the key is created.
Copy the key​
When a key is present, it appears in a read-only field with a Copy action. After copying, the button briefly shows a check state so you know the clipboard write succeeded.
Operational practices​
| Practice | Why it matters |
|---|---|
| Rotate on schedule | Limits blast radius if a key leaks. |
| Different keys per environment | Production and testing destinations should not share secrets. |
| Verify before processing | Reject requests that do not include the expected key. |
If your setup is custom, ask your technical team which header or validation rule your receiving tool expects.
Related docs​
Frequently asked questions​
Will old deliveries break immediately after regeneration?
Any inflight retries may still use the old secret until they finish. Plan rotations during low traffic windows and update your server before or in sync with the UI action.
Is the webhook key the same thing as my user login?
No. Your login identifies you as a person using Atomicat. Webhook keys help external systems verify automated webhook deliveries.