Public API webhooks and rate limits

Studeia's API controls call frequency with rate limits and enables event-driven integration via webhooks (inbound and outbound). This guide covers both.

Quick answer

Rate limits by tier: standard, high and custom — with control headers
Outbound webhooks: via automations (event → send_webhook → your URL)
Inbound webhooks: unique token at /api/automations/webhook/[token]
SSRF prevention: private IPs/localhost/metadata are blocked

Rate limits

Limits depend on the API key tier:

Tier	Req/hour	Burst/min
standard	1,000	100
high	5,000	300
custom	Configurable	custom

Each API-key-authenticated response includes headers indicating the limit and the remainder. Handle the exceeded-limit case with backoff (back off and retry later), instead of retrying immediately.

Outbound webhooks (events → your URL)

To receive events in real time, configure an automation:

Trigger: a platform event (lesson completion, enrollment, grade, inactivity, etc.).
Condition (optional): filters on the event or the user.
Action: send_webhook sends a POST to your URL with the event data.

That's how you integrate with CRM, Slack, spreadsheets and your own systems without polling the API.

Inbound webhooks (trigger automations)

Each webhook-type automation gets a 64-character token and a public URL:

POST /api/automations/webhook/YOUR_TOKEN
Content-Type: application/json

{ "any": "payload" }

The POST triggers the automation, and the JSON body is passed as event data — useful to start flows from external systems (e.g., payment approved).

Security (SSRF prevention)

Outbound webhooks cannot point to:

Private IPs (IPv4 and IPv6) and localhost.
Metadata endpoints (e.g., 169.254.169.254).
Alternative notations (octal, hexadecimal, mappings).

This prevents automations from being used to access internal network resources. Always use valid, public URLs, with timeout handled.

Best practices

Respect the rate limits (use headers + backoff).
Validate the origin of inbound webhooks (secret token).
Handle idempotency (retries can occur).
Don't expose webhook tokens publicly.

FAQ

What are the rate limits? standard 1,000/h, high 5,000/h, custom — with headers.

How do I receive events? Via an automation with the send_webhook action.

Are there inbound webhooks? Yes — a unique token at /api/automations/webhook/[token].

Can it point to any URL? No — SSRF prevention blocks private IPs/metadata.

See API authentication and automations.

FAQ

What are the API's request limits (rate limits)?

Limits depend on the key tier: standard (1,000 req/hour, 100/min), high (5,000 req/hour, 300/min) and custom (configurable). Each API-key-authenticated response includes headers with the limit and the remainder, so you can adjust call frequency and avoid blocks.

How do I receive Studeia events in real time (outbound webhooks)?

Via automations: configure an automation with an event trigger (lesson completion, enrollment, grade, etc.) and the send_webhook action, which sends a POST to your URL when the event occurs. That's how you integrate with CRM, Slack, spreadsheets and other systems without polling.

Does Studeia have inbound webhooks (to trigger automations)?

Yes. Each webhook-type automation gets a unique token and a public URL (/api/automations/webhook/[token]). A POST to that URL triggers the automation, passing the JSON body as event data — useful to start flows from external systems.

Can outbound webhooks point to any URL?

No. There's SSRF prevention: URLs to private IPs, localhost and metadata endpoints are blocked (IPv4 and IPv6, including alternative notations). This prevents automations from being used to access internal network resources. Always use valid, public URLs.