Title here
Summary here
Webhooks
Webhooks let you receive real-time notifications when specific events occur in Nova. Instead of polling the Nova API for changes, you register an endpoint on your server and Nova sends an HTTP POST request to that endpoint each time that a subscribed event occurs.
For example, you can use webhooks to:
- Detect when a new user registers for Nova on your hosting platform.
- Monitor AI credit consumption and respond when a user runs out of credits.
- Integrate Nova user activity data into your CRM, marketing automation tools, or analytics pipelines.
Register a webhook
You can view and update your webhook configuration in the Partner Dashboard at White Labeling » Webhooks.
For each supported event type, you can configure the following values:
- Webhook URL — The HTTPS endpoint on your server that receives event payloads. Your server must accept requests from the public internet at this URL, and the URL cannot point to private or internal network addresses (for example,
192.168.x.x,10.x.x.x, orlocalhost). - API Key — A secret key that you choose. Nova will use this key to sign and authenticate incoming requests.
If you remove a webhook URL or change your API key, deliveries to the old URL stop immediately.
Supported events
Nova webhooks support the following event types:
| Event Type | Description |
|---|---|
signed_up | A new user registers on Nova for the first time. |
build_completed | A user’s AI prompt runs successfully and the system updates the project. |
build_failed | A user’s AI prompt execution fails. |
domain_connected | A user connects a custom domain to their project. |
project_published | A user successfully publishes a project. |
out_of_credits | A user spends their last available credit. |
Webhook requests
When a configured event occurs, Nova sends a standard HTTP POST request to the webhook URL that you specified. Each request includes headers for authentication and a JSON payload with details about the event and the user.
Webhook deliveries may arrive slightly after the event occurs, depending on queue load and any retry attempts.
Request headers
Nova sends the following headers with every HTTP POST request:
| Header | Value |
|---|---|
Content-Type | The content type. For all requests, this is application/json. |
X-API-Key | The API key that you configured for this webhook. |
X-Signature-SHA256 | The HMAC-SHA256 signature of the request body. |
Idempotency-Key | A unique ID for this specific event delivery. Each delivery attempt uses the same |
User-Agent | The user agent string. For all requests, this is nova-partner-webhook/1. |
The request body is a JSON object containing the event type and the user’s current data. For more information, see Request body.
Request body
Every POST request body includes the following fields:
| Field | Type | Description |
|---|---|---|
event_type | string | The event that triggered this notification (for example, signed_up or build_completed). |
user_name | string | The user’s display name. |
user_email | string | The user’s email address. |
credit_used | integer | The total number of AI credits that the user has used. |
total_projects | integer | The total number of projects that the user has created. |
published_projects | integer | The number of projects that the user has published. |
last_login | string | The ISO 8601-formatted date and time of the user’s last login. |
last_build | string | The ISO 8601-formatted date and time of the user’s last AI prompt run. |
free_or_paid | string | The user’s plan type (free or paid). |
paid_plan_name | string | The name of the user’s paid plan. Empty for free plan users. |
has_connected_domain | string | Whether the user has connected a custom domain (yes or no). |
For example:
{
"event_type": "build_completed",
"user_name": "Jane Smith",
"user_email": "jane@example.com",
"credit_used": 12,
"total_projects": 3,
"published_projects": 1,
"last_login": "2026-05-14T06:30:00.000Z",
"last_build": "2026-05-14T08:45:00.000Z",
"free_or_paid": "paid",
"paid_plan_name": "Pro",
"has_connected_domain": "yes"
}Verifying webhook requests
Nova signs each payload using your API key as the secret.
To ensure your system’s security:
- Always verify the
X-Signature-SHA256header before processing a payload. - Make certain that your system rejects any request that fails signature verification.
To verify a request:
- Read the raw request body before parsing it as JSON.
- Read the signature from the
X-Signature-SHA256header and strip thesha256=prefix. - Compute an HMAC-SHA256 hash of the raw request body using your API key as the secret.
- Compare the result to the stripped header value using a constant-time string comparison to prevent timing attacks. A match confirms that the request came from Nova.
- Acknowledge the request immediately with a
2xxHTTP status code and process the payload asynchronously.Your endpoint should respond within three seconds to avoid triggering unnecessary retries. For more information, see Retries and timeouts.
Retries and timeouts
Nova makes up to four delivery attempts in total (one initial attempt plus up to three retries).
4xx responses
If Nova receives a 4xx response (for example, 400 Bad Request, 404 Not Found, or 401 Unauthorized), it treats the delivery as a permanent failure and does not retry. These responses indicate a configuration problem in your system.
5xx responses and network errors
If Nova receives a 5xx response (for example, 500 Internal Server Error or 503 Service Unavailable) or encounters a network error (for example, a connection timeout), it treats the delivery as a temporary failure.
In this scenario, Nova retries the delivery using the following schedule:
| Attempt | Delay before retry |
|---|---|
| 1st retry | 30 seconds |
| 2nd retry | 1 minute |
| 3rd retry | 2 minutes |
If all delivery attempts fail, Nova logs the event for investigation.
If you experience repeated delivery failures, check your server logs for incoming requests from Nova and any errors that occur when processing those requests. For help, contact WebPros Support.