Webhook Signing Secret
Webhook Signing Secret vs API Credentials
Webhook Signing Secret:
Used to authenticate requests coming FROM Marmin to your webhook endpoint.
Used only for verifying the HMAC signature of webhook payloads.
Generated when you Add or Edit a Webhook URL.
A new secret is generated only when you click "Regenerate Webhook Secret" – not when you update the webhook URL.
API Client ID / Client Secret:
Used by your application to authenticate requests TO Marmin APIs.
Used to generate HMAC signatures for API token requests.
Used to include JWT Bearer tokens in API request headers.
Important: These are completely separate credentials serving different purposes:
Webhook Signing Secret = Authenticate Marmin's webhook requests to you.
API Client ID/Secret = Authenticate your API requests to Marmin.
Revealing or Regenerating the Secret
For security reasons, the Signing Secret is masked by default.
To reveal or regenerate it:
Click Reveal Secret or Regenerate Secret.
An OTP (One-Time Password) is sent to your registered email address.
Check your email inbox for the OTP.
Enter the OTP in the verification field.
Click Verify or Submit to proceed.
OTP Validity: The OTP is valid for 5 minutes from the time it was sent. If the OTP expires, you can request a new one by clicking the button again.
> This OTP flow is mandatory for all webhook secret–related actions.
Security Notes
Store the Webhook Signing Secret securely.
Never expose it in frontend applications.
Rotate the secret immediately if it is compromised.