Account & Security

Webhooks

Receive inference results asynchronously via HTTP callbacks.

Webhooks are a feature of the DEVUP Native API. They are not supported with the OpenAI-compatible API. Webhooks let you submit an inference request and receive the result via an HTTP callback, instead of waiting for the response synchronously. This is useful for long-running requests or fire-and-forget workloads.

How it works

Add a webhook parameter to your request. The API immediately responds with status queued, then calls your webhook URL with the result once inference is complete.

Text generation example

const response = await fetch("https://api.devupai.com/v1/chat/completions", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "Authorization": `Bearer ${process.env.DEVUP_API_KEY}`,
  },
  body: JSON.stringify({
    model: "deepseek-ai/DeepSeek-V4-Pro",
    messages: [{ role: "user", content: "Hello!" }],
    webhook: "https://your-app.com/devupai-webhook"
  })
});
const data = await response.json();
console.log(data.status); // "queued"

Embeddings example

bash

curl "https://api.devupai.com/v1/embeddings"   -H "Content-Type: application/json" \
  -H "Authorization: Bearer $DEVUP_API_KEY" \
  -d '{
    "inputs": ["I like chocolate"],
    "webhook": "https://your-app.com/devupai-webhook"
  }'

Webhook payload

On success, your endpoint receives:

json

{
  "request_id": "R7X9fdLIaF56lVisBAi5xR3E",
  "inference_status": {
    "status": "succeeded",
    "runtime_ms": 228,
    "cost": 0.0001140000022132881
  },
  "results": { ... }
}

On failure:

json

{
  "request_id": "RHNShFanUP5ExA8rzgyDWH88",
  "inference_status": {
    "status": "failed",
    "runtime_ms": 0,
    "cost": 0.0
  }
}

Verifying webhook signatures

Every webhook delivery includes an X-DevUp-Signature header containing an HMAC-SHA256 hex digest of the raw request body, signed with your webhook secret. Always verify this signature before processing the payload to prevent spoofed requests.

Header	Value
X-DevUp-Signature	HMAC-SHA256 hex digest of the raw JSON body

Example verification in Node.js:

typescript

import crypto from "crypto";

function verifySignature(
  rawBody: string,
  secret: string,
  signature: string
): boolean {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody, "utf8")
    .digest("hex");

  const a = Buffer.from(signature, "hex");
  const b = Buffer.from(expected, "hex");
  if (a.length !== b.length) return false;
  return crypto.timingSafeEqual(a, b);
}

// In your webhook handler:
const isValid = verifySignature(
  rawBody,
  process.env.DEVUP_WEBHOOK_SECRET!,
  req.headers["x-devup-signature"] as string
);

if (!isValid) {
  return res.status(401).json({ error: "Invalid signature" });
}

⚠️

Use crypto.timingSafeEqual instead of === to prevent timing-based attacks.

Retry behavior

Retry Policy: 3 delivery attempts with exponential backoff (30s, 5min, 30min). After 3 failed attempts, the webhook is dropped.

Rate Limits