Skip to content
FeaturesPricingAffiliateBlogHelpAboutContact
Get StartedSign In
Back to Blog
industry2026-05-2311 min read

I rotated my webhook signing secret, fresh deliveries verified fine but retries kept returning 401 — the dual-secret rotation parity gap in thMenu's cron

Khaled (35), senior backend engineer at a Casablanca PMS integration partner, kicks off a planned HMAC signing-secret rotation Monday morning — Stripe/GitHub/Slack 7-day overlap pattern. 387 fresh deliveries verify fine; 23 of 25 retry-queue deliveries return 401. Forensic: fresh `X-thMenu-Signature: sha256=<new>,sha256=<prev>` (dual comma-separated); retries emit only `sha256=<new>`. Bug: `cloudflare/src/cron-jobs/webhook-retry.ts:112` SELECT clause pulled `signing_secret` only — `signing_secret_prev` had been added to the dispatcher correctly when PR #563 SS-B shipped the rotation feature, but the parallel CronTrigger retry cron was missed in that sweep. Khaled's receiver still validating against old secret → every retry 401 → consecutive_failures ≥ 5 → 7 subscriptions auto-paused. **PR #639 batch IV F1** fix: retry cron SELECT adds `signing_secret_prev`; comma-separated dual-signature header emitted; `X-thMenu-Sig-Algorithm: sha256` negotiation header added too. Pattern: dual-secret rotation = sweep EVERY signing surface (dispatcher + retry + delayed-emit batch + replay UI); CI lint rule mandates paired `signing_secret_prev` read alongside any `signing_secret` HMAC sign call.

th

thMenu Team

thmenu.com

Found this helpful? Share it.

Related articles

📈
industry

Why Digital Menus Increase Restaurant Revenue by Up to 30%

Studies show restaurants using digital QR menus see measurable increases in aver

🔻
industry

When a Customer Downgrades, What Happens to Old Features? — The Silent Feature-Drift Problem in SaaS

Most SaaS apps run a single line of code when a customer downgrades — but old fe

🛡️
industry

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers

Verifiers that never decode the JWT header are wide open to `alg=none` and alg-c