POST events to your server when generation state changes or a low-credit threshold is crossed.
Event types
Set up an endpoint
1
Create a receiver
Add an HTTPS route in your application that accepts
POST requests and
reads the raw request body before parsing JSON.2
Register the endpoint
Open Webhook in the dashboard, add the HTTPS URL, and choose the events
your server handles. Endpoint URLs must use public HTTPS on the default
HTTPS port and must not rely on redirects.
3
Store the secret
Copy the
whsec_... signing secret and store it in your secrets manager.
BabySea shows it once.4
Send a test event
Click Send test event from the endpoint details page. Return any
2xx
status when verification succeeds.Delivery headers
Every webhook delivery includes these headers:Verify signatures
BabySea signs the exact raw JSON body with HMAC-SHA256. The signed payload is:verifyWebhook() from the TypeScript SDK when possible.
TypeScript
verifyWebhook() rejects missing signatures, invalid signatures, malformed signature headers, and timestamps outside the tolerance window. The default tolerance is 300 seconds.
Generation payload
Generation lifecycle events share this shape:JSON
generation.failed can include generation_error and generation_error_code. generation.canceled can include credits_refunded.
Credit alert payload
credits.low_balance uses a billing payload instead of generation fields.
JSON
Delivery behavior
Generation lifecycle deliveries use retries. Credit alert, test, and replay deliveries are one-shot deliveries.
Any
2xx response marks the delivery successful. Generation endpoints are automatically disabled after 15 consecutive failed generation deliveries. When matching generation events arrive while an endpoint is disabled, BabySea queues them for later delivery.
Idempotency in your handler
Webhook delivery is at-least-once for generation lifecycle events. Storewebhook_delivery_id before applying side effects so retries and replays do not duplicate work.
Recommended handler behavior:
- Verify
X-BabySea-Signatureagainst the raw body. - Reject events with stale timestamps.
- Store
webhook_delivery_idwith a unique constraint. - Return
2xxonly after durable side effects complete. - Return
4xxfor permanently invalid requests and5xxfor temporary failures.
