Skip to main content
Karta can POST event notifications to an HTTPS endpoint you own - subscription changes, budget thresholds, session and turn lifecycle events, and account security events - so your systems react without polling.

Register an endpoint

Use the CLI:
Or use the management SDK:
Each endpoint subscribes to a selected set of event types - you receive only what you ask for. If you pass no event types, the endpoint receives every supported event.

Event types

The API returns the current event-type list from GET /api/webhook_endpoints, so automation can validate subscriptions before creating an endpoint.

Payload and headers

Each POST has JSON shaped like:
Karta also sends:

Verifying signatures

Deliveries are signed with HMAC-SHA256. The Karta-Signature header carries t=<timestamp>,v1=<hexdigest>, where the signature is computed over the string "<timestamp>.<raw_body>" with your endpoint’s signing secret. Recompute it and compare in constant time before trusting the payload.
Always verify against the raw request body, before any JSON parsing or re-serialization - reserializing changes the bytes and breaks the signature.

Delivery, retries, and auto-disable

SSRF protection

Webhook URLs must be HTTPS public destinations. Private, loopback, link-local, and internal hostnames are rejected, and destinations are re-checked before delivery. You cannot point a webhook at internal infrastructure.
Webhooks are outbound notifications from Karta to you. They’re distinct from sessions, which fan messages out to session participants.