Implicit for Zendesk

Zendesk — Ticket #TK-4821 Implicit Navigator — active on this ticket

Open Tickets

#TK-482111m ago

Webhook sync failure after API key rotation

ETIMEDOUT on retry — no events reaching endpoint...

Urgent

#TK-48091h ago

SSO login loop — SAML assertion rejected

Works for some users, broken for EU region...

Open

#TK-47983h ago

CSV export truncated at 10,000 rows

We have 340K records — export stops at 10k...

Open

#TK-4784Yesterday

Rate limit 429s on bulk import endpoint

Hitting limits below documented threshold...

Solved

Webhook sync failure — ETIMEDOUT on all retries after API key rotation

Urgent API / Webhooks Enterprise

Marcus Webb · Orion Analytics · Opened 09:14 AM · Agent: Sarah K.

Marcus Webb

Customer · Orion Analytics

9:14 AM

We rotated API keys as part of our quarterly security audit. Since rotation, none of our webhooks are delivering — production pipelines are completely blocked.

ERROR: connect ETIMEDOUT 52.44.128.91:443 at TCPConnectWrap.afterConnect [as oncomplete] Retries: 5/5 — all timed out. Last successful delivery: 2025-06-02 22:47 UTC

Sarah K.

Support Agent

9:31 AM

Did you update the webhook config after rotating? There's a separate step in webhook settings vs. the main API credentials dashboard.

Marcus Webb

Customer · Orion Analytics

9:44 AM

Yes — updated both locations, regenerated the webhook signing secret. The ETIMEDOUT is at the TLS handshake level, not auth. We're on Enterprise with a static outbound IP configured last year. Could this be an IP allowlist issue?

Internal Note

Forward

Implicit Navigator

Support Knowledge Engine

Reading ticket

Context: #TK-4821 Webhook · Enterprise · IP Allowlist

Ticket context loaded automatically

Agent — Sarah K.

What causes ETIMEDOUT on webhook delivery after an API key rotation for Enterprise accounts with IP allowlisting?

Implicit · Support Navigator

This is a known Enterprise edge case. When an API key is rotated, the system triggers a re-verification of the outbound IP binding. 1 During this ~15 min window, the webhook signing service uses a temporary IP not on the customer's allowlist — causing TLS handshakes to be dropped upstream. 2

The ETIMEDOUT at handshake level — not auth — is the diagnostic tell. 3

1 Enterprise Networking Guide §4.2 2 Webhook Delivery Architecture 3 IP Allowlist Runbook v2.1

Agent — Sarah K.

What's the fix? How do I resolve this for the customer right now?

Searching knowledge base…

Implicit · Support Navigator

Immediate fix (<5 min): Manually re-pin the static IP. Go to Settings → Security → Outbound IP → Re-validate. 4 This re-attaches the binding without waiting for auto-verification.

If Marcus lacks console access, trigger via internal tooling: ops-tools webhook-ip repin --account=orion-analytics. 5

Delivery backlog will auto-retry for 24 hours with exponential backoff — no events are lost. 4

4 Enterprise Admin Guide §7.1 5 Internal Ops Runbook — Webhook Repair

Always sourced from your knowledge base · Never generic AI