Skip to main content
Webhooks send signed HTTP POST events to your server when generation state changes or a low-credit threshold is crossed.

Event types

Set up an endpoint

1

Create a receiver

Add an HTTPS route in your application that accepts POST requests and reads the raw request body before parsing JSON.
2

Register the endpoint

Open Webhook in the dashboard, add the HTTPS URL, and choose the events your server handles. Endpoint URLs must use public HTTPS on the default HTTPS port and must not rely on redirects.
3

Store the secret

Copy the whsec_... signing secret and store it in your secrets manager. BabySea shows it once.
4

Send a test event

Click Send test event from the endpoint details page. Return any 2xx status when verification succeeds.

Delivery headers

Every webhook delivery includes these headers:

Verify signatures

BabySea signs the exact raw JSON body with HMAC-SHA256. The signed payload is:
Use verifyWebhook() from the TypeScript SDK when possible.
TypeScript
verifyWebhook() rejects missing signatures, invalid signatures, malformed signature headers, and timestamps outside the tolerance window. The default tolerance is 300 seconds.

Generation payload

Generation lifecycle events share this shape:
JSON
generation.failed can include generation_error and generation_error_code. generation.canceled can include credits_refunded.

Credit alert payload

credits.low_balance uses a billing payload instead of generation fields.
JSON
Configure thresholds and delivery channels from credits, low-balance alerts.

Delivery behavior

Generation lifecycle deliveries use retries. Credit alert, test, and replay deliveries are one-shot deliveries. Any 2xx response marks the delivery successful. Generation endpoints are automatically disabled after 15 consecutive failed generation deliveries. When matching generation events arrive while an endpoint is disabled, BabySea queues them for later delivery.

Idempotency in your handler

Webhook delivery is at-least-once for generation lifecycle events. Store webhook_delivery_id before applying side effects so retries and replays do not duplicate work. Recommended handler behavior:
  • Verify X-BabySea-Signature against the raw body.
  • Reject events with stale timestamps.
  • Store webhook_delivery_id with a unique constraint.
  • Return 2xx only after durable side effects complete.
  • Return 4xx for permanently invalid requests and 5xx for temporary failures.

Dashboard management

Use webhook to create endpoints, rotate secrets, send test events, inspect deliveries, replay deliveries, deliver queued events, and delete endpoints.