Skip to main content
Last updated: March 09, 2026
Note: If these Terms, Policies, or Agreements are available in multiple languages, and any discrepancies exist between translations, the English version shall prevail.

1. Public API scope

BabySea exposes a public API used for authentication checks, account summaries, billing summaries, model generation, estimation, content lookup, usage analytics, and related customer operations. Customers may access the API directly or through the BabySea SDK. The current product also exposes a browser-based Playground for testing and operational management. Dashboard areas and the account model are described in Account and workspace.

2. API keys

Customers authenticate API requests with Bearer API keys issued in the API keys area of the dashboard.
  • BabySea shows the raw key only at creation or rotation time.
  • BabySea stores credential metadata and a one-way hash of the secret rather than exposing the raw key again after issuance.
  • The current dashboard flow allows customers to choose permissions and an IP allowlist when issuing a key.
  • Expired keys are shown as inactive in the dashboard and may no longer be used for normal operations.
  • Rotation is a separate workflow and currently supports a configurable grace period in the dashboard from 1 to 168 hours before the replaced key fully expires. The default grace period is 24 hours.
You are responsible for protecting all API keys issued to your account, including any keys distributed to employees, contractors, systems, or end-user applications that you operate. Key management privileges depend on the team role model described in Account and workspace.

3. API scopes and access control

BabySea supports scoped API keys. In the current product, the dashboard exposes preset permission sets rather than arbitrary per-endpoint permission editing. These scopes control whether a key can perform generation and other operational actions. Customers must not attempt to bypass scope restrictions, IP allowlists, rate limits, or account-level protections.

4. Generation requests and provider routing

BabySea is an orchestration layer. It normalizes customer requests into a unified schema and routes generation jobs to supported third-party inference providers. Depending on the model and route, BabySea may:
  • return a result inline;
  • poll a provider-side task; or
  • finalize the request through provider webhooks and then send customer webhooks.
Not every provider or model supports the same delivery method, latency profile, or cancel behavior. Provider availability and routing may change over time as BabySea adds, removes, or reprioritizes providers.

5. Webhooks

Customers can configure outbound webhooks in the Webhook area of the dashboard by using the Add endpoint action. In the current product:
  • webhook events cover generation lifecycle events such as started, completed, failed, and canceled;
  • webhook deliveries are signed and include delivery metadata;
  • customers are responsible for verifying signatures on their own webhook receiver;
  • webhook endpoints must be controlled by the customer; and
  • customers are responsible for handling retries, idempotency, and downstream processing on their own systems.
If a customer endpoint is unavailable, BabySea may retry delivery based on the current product behavior. Repeated failures may lead to endpoint disablement or other protective action. Webhook delivery log retention is plan-based and described in Data lifecycle.

6. Polling, status checks, and cancel behavior

Customers may use API lookups to retrieve generation status and outputs. They may also request cancellation for eligible in-flight generations. Because inference jobs can complete quickly, especially for short-running image jobs, a cancellation attempt may lose a race against job completion. In that case, the generation may remain billable and BabySea may return a conflict response instead of applying a refund. Credit reserve and refund behavior is described in Billing and credit.

7. Rate limits and plan enforcement

BabySea enforces account-level rate limits. All API keys issued under the same account share the same limit bucket for the applicable plan. Plan details are described in Billing and credit. In the current self-serve plans, the product enforces the following 60-second sliding-window limits:
PlanGenerations per minuteAPI requests per minute
Free1030
Starter2060
Pro50150
Scale100300
Enterprise200600
These limits may be changed by BabySea from time to time. Enterprise customers may also receive separate written limits in an order form or negotiated agreement.

8. Regions and domains

BabySea currently exposes default regional endpoints for the US and EU environments. Enterprise customers may also use the Domains area to configure one custom API domain in the current product offering, subject to plan eligibility and successful DNS and verification setup.

9. Customer obligations for API use

You must not:
  • misuse API keys or share them outside your authorized organization or application context;
  • use the service to violate law, third-party rights, or BabySea’s prohibited-use rules;
  • attempt to interfere with routing, failover, provider communication, or webhook delivery infrastructure; or
  • represent BabySea outputs, statuses, or provider availability in a misleading way to your own users.