Developers · Webhooks

33 webhook topics, signed payloads.

Every event in Karum lands on your server instantly. HMAC-SHA256 signature, replay protection, exponential retry, dead-letter queue — enterprise-grade reliability.

Webhook guide Try in sandbox

Subscribable topics

HMAC-SHA256

Signature algorithm

6×

Max retries

POST · order.placed

POST /your-endpoint HTTP/1.1
Content-Type: application/json
X-Karum-Topic: order.placed
X-Karum-Delivery-Id: dlv_01H9X2K...
X-Karum-Signature: t=1716843201,v1=a4b3c92e...

{
  "topic": "order.placed",
  "deliveryId": "dlv_01H9X2K...",
  "tenantId": "ten_main",
  "occurredAt": "2026-05-28T09:14:02Z",
  "data": {
    "orderId": "ord_3Axx",
    "total": 1249.90,
    "currency": "TRY",
    "customerId": "cus_Qh8"
  }
}

Topic catalog

10 categories, 33 event types.

Orders, payments, products, vendors, payouts, security — fine-grained topics for every domain. Subscribe only to what you want to hear.

order

Order lifecycle

New order and cancellation flow

order.placedorder.cancelled

payment

Payments & refunds

Capture, refund, and PSP events

payment.capturedpayment.refunded

product

Product catalog

Create, update, publish, archive

product.createdproduct.updatedproduct.publishedproduct.archived

approval

B2B approval flow

Multi-level order approval

approval.request.createdapproval.approvedapproval.rejectedapproval.expired

quote

Quote management

B2B quote lifecycle

quote.sentquote.acceptedquote.rejectedquote.convertedquote.expired

vendor

Vendor / seller

Apply, approve, suspend

vendor.appliedvendor.approvedvendor.rejectedvendor.suspended

payout

Vendor payouts

Commission calc, payment, retry

payout.calculatedpayout.paidpayout.failedpayout.retry.scheduledpayout.retry.given_up

buybox

Buybox

Marketplace winner changes

buybox.winner_changed

report

Reports

Scheduled report triggers

saved_report.due

security

Security & compliance

Impersonation, staff invite, IYS

impersonation.startedimpersonation.endedstaff.invitedstaff.acceptedconsent.iys.push_due

Security controls

Every payload signed, replay-proof.

We sign every request, attach a timestamp, and use an idempotency-key to drive double-processing risk to zero. Failed deliveries land in the dead-letter queue and you can replay them from the panel.

HMAC-SHA256 signature
Every request carries an `X-Karum-Signature: t=<unix>,v1=<hex>` header; we sign `t.payload` concatenated.
Timestamp tolerance
Reject requests older than 5 minutes — blocks replay attacks. Tolerance is configurable.
Idempotent delivery
Every event carries a unique `deliveryId`. If it arrives twice, same result — no double-processing risk.
Dead-letter queue
After 5 failed attempts it falls into the DLQ; replay it from the panel or CLI any time.

Signature verification verify.ts

import crypto from "node:crypto"

export function verifyKarumSignature(
  payload: string,
  header: string,
  secret: string,
): boolean {
  const parts = Object.fromEntries(
    header.split(",").map((p) => p.split("=") as [string, string]),
  )
  const timestamp = parts.t
  const signature = parts.v1

  const expected = crypto
    .createHmac("sha256", secret)
    .update(`${timestamp}.${payload}`)
    .digest("hex")

  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signature),
  )
}

Retry policy

Failed deliveries with exponential backoff.

If your server doesn't return 2xx, we retry 6 times with exponential delays. After the 5th failure it lands in the dead-letter queue, replayable from the panel.

Attempt

Delay

Immediate

30 seconds

2 minutes

10 minutes

1 hour

Dead-letter queue

After the 5th failure it lands in the DLQ. Dashboard → Webhooks → DLQ to replay.

Getting started

Your first sale this week. Setup in 5 minutes.

Our onboarding team runs the process. Data migration, product mapping, and channel connection included — first sale on average in 3–7 days.

Create free account Request demo [email protected] · +90 850 244 51 10

LET'SGO