The deploy hook docs are pretty clear that the deploy hook URLs should be secret:
Make sure to only give this URL to people and systems you trust. Anyone with access to the URL can trigger a deploy for your service.
Unfortunately there does not appear to be any way to cycle or reset this URL. This would be relevant if, hypothetically, someone were using deploy hooks in their continuous integration service and said service suffered a security breach in which customers’ environment secrets were potentially compromised. Purely hypothetically of course!
You are correct that we currently do not offer an in-app way to rotate the deploy hook. We can, however, do this for you from our end.
If you need assistance with this, please login to our dashboard and contact us via the ‘Contact Support’ link at the bottom of our dashboard and make sure you pick the service that this question relates to from your account.
Our REST API also offers the ability to deploy a service, and REST API keys can be rotated without support assistance.
Hi @Jade_Paoletta this is helpful, thank you! Though given the unfortunate reality of further security compromises I’d kindly ask to see this updated in the documentation too.
