Webhooks

Subscribe to lifecycle events out-of-band from the inference path. Create subscriptions from the dashboard.

Event types

• key_created — a new API key was minted
• key_revoked — an API key was revoked
• webhook_created — this webhook (or a sibling) was just created
• webhook_revoked — a webhook was disabled
• * — subscribe to everything

Delivery

Each event POSTs JSON to your URL with two headers:

• X-Sable-Event — the event type, e.g. key_revoked
• X-Sable-Signature — sha256=<hex> HMAC of the raw body using your webhook secret

Verifying signatures

import { createHmac, timingSafeEqual } from "node:crypto";

function verifySable(req: Request, secret: string): boolean {
const sig = req.headers.get("x-sable-signature") ?? "";
const expected = "sha256=" + createHmac("sha256", secret)
  .update(req.body)
  .digest("hex");
return timingSafeEqual(Buffer.from(sig), Buffer.from(expected));
}

Phase 1 makes a single delivery attempt per event. A receiver returning a non-2xx is logged in webhook_deliveries but not retried.