Webhooks

Subscribe to SeaLink account events such as API call completion, API Key expiry, and low-balance alerts.

Event types

Event	Description
usage.created	An API call completed and usage was recorded.
key.expiring	An API Key is approaching its expiration time.
balance.low	Account balance dropped below the configured threshold.

Signature verification

Each request includes X-SeaLink-Signature in the format sha256=<HMAC-SHA256(raw body, signing secret)>. Verify against the raw request body, not a re-serialized JSON object.

Node.js

import crypto from "node:crypto";

export function verifySeaLinkWebhook(
  payload: string,            // raw request body
  signature: string,          // value of X-SeaLink-Signature header
  secret: string,             // your endpoint signing secret from /dashboard/webhooks
): boolean {
  // Header format: sha256=<hmac-sha256-hex>
  const received = signature.startsWith("sha256=")
    ? signature.slice("sha256=".length)
    : "";
  if (!received) return false;

  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");
  const expectedBuffer = Buffer.from(expected, "hex");
  const receivedBuffer = Buffer.from(received, "hex");

  return expectedBuffer.length === receivedBuffer.length
    && crypto.timingSafeEqual(expectedBuffer, receivedBuffer);
}

Retries & idempotency

SeaLink retries up to 3 times on 5xx, 429, or network timeout, with backoff delays of about 10s, 30s, and 90s.
The event body includes event_id; use it for idempotent deduplication.
Return 2xx quickly; queue heavy processing.