KIE.AI
English
  • English
  • Chinese
English
  • English
  • Chinese
Support
English
  • English
  • Chinese
MarketVeo3.1 APISuno API4o Image APIFlux Kontext APIRunway APILuma APIFile Upload APICommon API
MarketVeo3.1 APISuno API4o Image APIFlux Kontext APIRunway APILuma APIFile Upload APICommon API
  1. Common API
  • Common API Quickstart
  • Webhook Security Verification
  • Get Download URL for Generated Files
    POST
  • Get Remaining Credits
    GET
English
  • English
  • Chinese
Support
English
  • English
  • Chinese
MarketVeo3.1 APISuno API4o Image APIFlux Kontext APIRunway APILuma APIFile Upload APICommon API
MarketVeo3.1 APISuno API4o Image APIFlux Kontext APIRunway APILuma APIFile Upload APICommon API
  1. Common API

Webhook Security Verification

To ensure the security of callback requests, it is strongly recommended to enable Webhook HMAC signature verification in production environments to prevent forged requests and replay attacks.

Algorithm Overview#

Kie AI uses the HMAC-SHA256 algorithm to generate signatures, ensuring the integrity and authenticity of webhook callbacks.
Signature Generation Process:
1.
Concatenate the data to sign: taskId + "." + timestampSeconds
taskId: Task ID from the request body
timestampSeconds: Unix timestamp in seconds from the X-Webhook-Timestamp header
2.
Calculate HMAC-SHA256 signature:
signature = HMAC-SHA256(dataToSign, webhookHmacKey)
3.
Base64 encode the signature:
finalSignature = Base64.encode(signature)

Obtain Webhook HMAC Key#

You can generate and view your webhookHmacKey on the Kie AI Settings Page.
The webhookHmacKey is used to verify that callback requests originate from Kie AI's official servers. Keep this key secure and never expose it or commit it to code repositories.

Webhook Header Description#

When you enable the webhookHmacKey feature in the settings page, all callback requests will include the following fields in the HTTP headers:

X-Webhook-Timestamp#

Type: Integer
Required: Yes
Description: Unix timestamp (in seconds) when the callback request was sent.

X-Webhook-Signature#

Type: String
Required: Yes
Description: Signature generated using the HMAC-SHA256 algorithm with Base64 encoding.

Signature generation rule:#

base64(HMAC-SHA256(taskId + "." + timestamp, webhookHmacKey))
Where:
taskId is the task ID from the callback body
timestamp is the value of X-Webhook-Timestamp
webhookHmacKey is the key you generated in the console

Webhook Verification Process#

Follow these steps to verify the legitimacy of webhook requests:
1
Read Header Fields
Extract the X-Webhook-Timestamp and X-Webhook-Signature fields from the HTTP headers.
2
Generate Signature
Using your locally stored webhookHmacKey, generate the HMAC-SHA256 signature following these rules:
1.
Extract task_id from the request body
2.
Concatenate the string: taskId + "." + timestamp
3.
Generate signature using HMAC-SHA256 algorithm with webhookHmacKey
4.
Base64 encode the signature result
3
Compare Signatures
Compare the computed signature with X-Webhook-Signature using a constant-time comparison algorithm to prevent timing attacks.

Complete Example Code#

Here are complete examples of implementing webhook signature verification in popular programming languages:
Node.js
Python
PHP
Java

Example Webhook Request#

Here's what a complete webhook request looks like:
Previous
Common API Quickstart
Next
Get Download URL for Generated Files
Built with