Register an endpoint
Use the CLI:Event types
The API returns the current event-type list from
GET /api/webhook_endpoints, so
automation can validate subscriptions before creating an endpoint.
Payload and headers
Each POST has JSON shaped like:Verifying signatures
Deliveries are signed with HMAC-SHA256. TheKarta-Signature header carries t=<timestamp>,v1=<hexdigest>, where the
signature is computed over the string "<timestamp>.<raw_body>" with your
endpoint’s signing secret. Recompute it and compare in constant time before
trusting the payload.
Delivery, retries, and auto-disable
SSRF protection
Webhook URLs must be HTTPS public destinations. Private, loopback, link-local, and internal hostnames are rejected, and destinations are re-checked before delivery. You cannot point a webhook at internal infrastructure.Webhooks are outbound notifications from Karta to you. They’re distinct
from sessions, which fan messages out
to session participants.

