
Only organization admins can generate, rotate, or revoke API keys and configure webhooks.
API key management
Your API key authenticates every request to the Partner API. See authentication for how to pass it in your requests.Generate a key
If your organization does not have an active key yet:Click Generate API Key
The dashboard creates a new key and displays it in an orange banner at the top of the page.
Rotate a key
Rotation revokes the current key and generates a replacement in a single step. Use this when you need a fresh key without downtime between revoke and generate.Click Rotate Key
A confirmation dialog warns that existing integrations will stop working immediately.
Confirm the rotation
The old key is revoked and a new key appears in the banner. Copy it before leaving the page.
Revoke a key
Revoking permanently deactivates the key. Any request using the revoked key will receive a403 Invalid API Key error.
Webhooks overview
Instead of callingGET /analysis/{analysis_id}/results repeatedly, you can ask Ochy to push
status updates to an HTTPS endpoint you control. Your server receives JSON payloads as the analysis
moves from queued to running, through progress milestones, to success or failure.
The integration flow:
- Register a webhook URL once for your partner account — from the dashboard or with
PUT /webhook. UseGET /webhookto read the current URL,enabledflag, signature status, andupdated_at. - Opt in per analysis when you call
POST /analysis/startwithnotify_via_webhook: true. If you omit it or set it tofalse, no webhook events are sent for that analysis. - Optionally enable HMAC signatures so your server can verify that events were sent by Ochy and that the request body was not modified.
- Handle incoming POST requests on your URL. Each payload includes an event type, status,
percentage, a monotonic
sequenceper analysis, and a timestamp.
2xx) and process the
payload in the background if needed.
Configure webhooks
You configure the webhook once per partner; you do not pass the URL on everyPOST /analysis/start.
From the dashboard
Enter your endpoint URL
Provide an HTTPS URL where Ochy will send POST requests. For example:
https://your-app.com/webhooks/ochy.From the API
GET /webhook returns the stored url, enabled, and updated_at for your partner. If
nothing has been saved yet, the response body is an empty JSON object ({}).
PUT /webhook with a JSON body:
| Field | Type | Description |
|---|---|---|
url | string | HTTPS URL that will receive POST requests from Ochy. |
enabled | boolean | When false, no webhook traffic is sent until you enable it again. |
signature.enabled | boolean | Optional. When true, Ochy signs webhook requests with HMAC-SHA256. |
PUT returns the same shape as GET: url, enabled, and updated_at.
If you enable signatures for the first time, the response also includes a signature.secret.
Copy and store it immediately; it is not returned by GET /webhook.
Example response when a signing secret is generated:
notify_via_webhook is true on start, the API checks that your partner webhook is valid
and enabled. The decision to send webhooks for that analysis is fixed at start time and stored with
the analysis.
Start an analysis with webhooks
Add an optional field to the same multipart request you already use forPOST /analysis/start:
| Field | Type | Default | Description |
|---|---|---|---|
notify_via_webhook | boolean | false | If true, progress and completion events are delivered to your configured webhook URL for this analysis only. |
Events and payload format
For each analysis, events are emitted when:- processing starts (status moves to
analyzing); - progress crosses each 10% boundary from 10% through 90% (if progress jumps, all crossed milestones are sent in order);
- the analysis completes successfully (
success, 100%); - the analysis fails (
failed), at any progress value.
event_type | Typical status | Notes |
|---|---|---|
analysis.started | analyzing | First processing signal for the run. |
analysis.progress | analyzing | Progress milestones at 10%, 20%, … 90%. |
analysis.completed | success | Final success; percentage is 100. |
analysis.failed | failed | Terminal failure; percentage reflects last known progress. |
POST requests to your webhook URL with a JSON body like:
| Field | Description |
|---|---|
analysis_id | Same identifier as video_id from the start endpoint. |
event_type | One of analysis.started, analysis.progress, analysis.completed, analysis.failed. |
status | Current analysis status (analyzing, success, or failed). |
percentage | Progress from 0 to 100. |
sequence | Per-analysis monotonic counter. Use it to order and deduplicate events. |
timestamp | Time of the event in UTC (ISO 8601). |
Verify webhook signatures
Webhook signatures are optional but recommended for production integrations. Enable them from the dashboard or withsignature.enabled: true in PUT /webhook. When signatures are enabled, Ochy
adds two HTTP headers to every webhook request:
| Header | Description |
|---|---|
X-Ochy-Timestamp | Unix timestamp in seconds, generated when the request is sent. |
X-Ochy-Signature | Hex-encoded HMAC-SHA256 signature. |
- Read the raw request body bytes exactly as received.
- Read
X-Ochy-TimestampandX-Ochy-Signature. - Reject old timestamps (for example, more than 5 minutes away from your server time).
- Compute
HMAC-SHA256with your webhook signing secret over<timestamp>.<raw body>. - Compare the expected signature with
X-Ochy-Signatureusing a constant-time comparison.
Python example
Node.js example
Rotate the signing secret
UsePOST /webhook/signature/rotate to generate a new signing secret:
secret once:
Ordering and out-of-order delivery
Webhook delivery is asynchronous. In rare cases an older event might arrive after a newer one.- Each payload includes a
sequencethat increases for thatanalysis_id. - Process events in
sequenceorder; if you receive a payload whosesequenceis less than or equal to the last one you applied for that analysis, you can ignore it.
sequence.
Fallback: polling
You can always call:status is success), whether or not webhooks are enabled. Use it for integration testing,
manual checks, or when you need a single source of truth after delivery issues.
Usage and credits
The remaining two tabs on the API page provide monitoring:- Usage — view your API request history and consumption patterns.
- Credits — check your remaining analysis credits. Each analysis consumes one credit when started (see authentication).
See also
- Analysis workflow — video requirements, status codes, and polling
GET /webhook— read current webhook settingsPUT /webhook— register or update your webhook URLPOST /webhook/signature/rotate— rotate your webhook signing secretPOST /analysis/start—notify_via_webhookfield