# List webhook signing keys for the current tenant

**GET** `/webhooks/signing-keys`

Returns the active and any expiring (mid-rotation) webhook signing keys.
On the very first call for a tenant, a key is bootstrapped automatically
and its plaintext is included in the response — exactly once. Subsequent
calls return metadata only (no plaintext).

Authentication: bearerAuth
Required scopes: `webhook:read`
Allowed roles: `owner`, `admin`
Authorization: List webhook signing keys.

## Responses

- `200`: List of signing keys (plaintext present only on bootstrap response)
- `default`: Error