Skip to content
Keylight Keylight Keylight Docs

Creem setup

Keylight integrates with Creem through an HMAC-signed webhook: every completed checkout, subscription state change, and refund hits Keylight, and Keylight mints, renews, or refunds the matching license. There’s no OAuth and no outbound Creem API call from Keylight — only the signed webhook with a shared secret.

1. Enable Creem in the dashboard

Section titled “1. Enable Creem in the dashboard”

From your dashboard, go to Settings → Integrations → Creem and click Enable Creem. Keylight reveals the webhook URL:

https://api.keylight.dev/webhooks/creem/<your-tenant-id>

Copy it — you’ll paste it into Creem’s webhook settings in step 3.

2. Map Creem Product IDs to Keylight apps

Section titled “2. Map Creem Product IDs to Keylight apps”

In Settings → Integrations → Creem, add one row per product.

Creem Product IDKeylight appKey type
prod_abc…myapppro
prod_xyz…myappteam

Keylight reads object.product.id from each checkout.completed event to pick the row. Unmapped products are rejected with 400 unmapped_product.

3. Configure the webhook in Creem

Section titled “3. Configure the webhook in Creem”

In the Creem dashboard:

  1. Go to Developers → Webhook.
  2. Click Add endpoint.
  3. Paste the Keylight URL from step 1 into the URL field.
  4. Subscribe to these events:
    • checkout.completed
    • subscription.paid
    • subscription.active
    • subscription.update
    • subscription.trialing
    • subscription.scheduled_cancel
    • subscription.past_due
    • subscription.paused
    • subscription.canceled
    • subscription.expired
    • refund.created
  5. Save. Creem reveals the webhook signing secret — copy it.

Back in Keylight (Settings → Integrations → Creem), paste the secret into Webhook signing secret and save. Keylight verifies the creem-signature header (lowercase hex HMAC-SHA256) on every delivery.

4. Test the connection

Section titled “4. Test the connection”

Creem’s webhook page has a Send test action.

  • 200 OK from Keylight with a fresh license record in Dashboard → Licenses means signature + product map are correct.
  • 400 invalid_signature → secret mismatch; re-copy from Creem.
  • 400 unmapped_product → the test event’s Product ID isn’t in your map.

What happens on a real sale

Section titled “What happens on a real sale”

When a customer checks out, Creem fires checkout.completed. Keylight verifies creem-signature, looks up the app+key-type from object.product.id, mints a license, and records the payment. Subscription renewals arrive as subscription.paid (or subscription.active / subscription.update) and re-extend the license. subscription.scheduled_cancel is treated as still active until the period ends — only subscription.canceled / subscription.expired flip the license to cancelled. refund.created flips it to refunded.

Upgrades

Section titled “Upgrades”

To send a customer to a Creem checkout that upgrades their existing license, append metadata[keylight_upgrade_key]=<license-key> to the Upgrade checkout URL you set on the key type. Creem echoes the metadata back in the checkout event and Keylight links the new payment to the existing license.

Disconnecting

Section titled “Disconnecting”

Settings → Integrations → Creem → Disconnect clears the signing secret and the product map. Existing licenses are untouched — only new webhook deliveries stop minting.