Skip to main content
ToAPIs sends one final event when an asynchronous image or video task completes or permanently fails. Delivery is at least once; deduplicate by event id.

Configure a Token

In the ToAPIs console, edit the Token, set an HTTPS default callback URL, generate a signing secret, enable Task Webhooks, save, and send a test event. The 32-byte secret is shown only when generated or rotated. If a task request omits callback_url, ToAPIs uses the Token default. A request-level URL may only change the path and query while keeping the same scheme, hostname, and port. If Webhooks are disabled or the Token lacks a default URL or secret, sending callback_url returns 400 webhook_not_configured.

Events

  • generation.completed
  • generation.failed
  • endpoint.test
Failed events are sent only after internal retries and refund or billing finalization have completed. Temporary failures do not emit an event.
Test deliveries use the same signed contract:
task_type is image or video. Results match the public task-status representation and never contain channel IDs, upstream task IDs or keys, internal credentials, or private task data.

Headers and signature

The signed bytes are:
Compute HMAC-SHA256 with the Token secret and compare signatures in constant time. Reject a first delivery whose timestamp differs from local time by more than five minutes. Retries use the actual resend timestamp and keep the same event ID. During the 24 hours after secret rotation, ToAPIs sends signatures from both the current and previous secret; accept any valid v1 value.

Python

Node.js

Go

Persist the event ID before processing side effects so duplicate deliveries return 2xx without repeating work.

Delivery and security

Only 2xx is successful. ToAPIs does not follow redirects, times out after 10 seconds, and retries after approximately 10 seconds, 30 seconds, 2 minutes, 10 minutes, 1 hour, 6 hours, and 24 hours. Use the task-status API if delivery is delayed or exhausted. Callback endpoints must use HTTPS and cannot contain userinfo or fragments. Private, loopback, link-local, reserved, or disallowed DNS/IP destinations and illegal ports are rejected. DNS and SSRF checks run again for every delivery. Result URLs may expire. Download and store required assets promptly. Real-avatar verification callbacks, payment Webhooks, and OAuth callbacks keep their existing contracts and are not task Webhooks. See Async task rate limits.