Gumroad setup

Keylight integrates with Gumroad through a one-way ping URL: every time a sale completes on your Gumroad product, Gumroad posts the sale details to Keylight, and Keylight mints a license. There is no OAuth and no Gumroad API call from Keylight — the only thing leaving Gumroad is the webhook ping, signed with a shared secret token you generate in the dashboard.

Tip

One Gumroad seller, multiple Keylight apps. A single Keylight account can map several Gumroad permalinks to different apps. Each permalink → one app.

1. Enable Gumroad in the dashboard

From your dashboard, go to Settings → Integrations → Gumroad and click Enable Gumroad. Keylight generates a random shared-secret token and stores it on your account. The page then shows you a ping URL of the form:

https://api.keylight.dev/webhooks/gumroad/<your-tenant-id>?token=<generated-token>

The token query parameter is your shared secret. Anyone with the URL can fire pings at your account — treat it like an API key. Rotate it from the same panel if it ever leaks.

2. Map Gumroad permalinks to Keylight apps

A Gumroad permalink is the short slug at the end of gumroad.com/l/<permalink> — e.g. gumroad.com/l/myapp-pro has permalink myapp-pro. In Settings → Integrations → Gumroad, add one row per Gumroad product:

Permalink	Keylight app
myapp-pro	pro
myapp-team	team

Each permalink must map to exactly one Keylight app. The dashboard rejects duplicate permalinks. Permalinks not in the map are ignored — Keylight returns 400 for unmapped sales rather than minting a key against an unknown app.

The optional Seller ID field is informational only; it isn’t used for verification.

3. Paste the ping URL into Gumroad

In the Gumroad seller dashboard:

1. Open your product → Edit.
2. Go to the Advanced section.
3. Find Ping URL and paste the URL Keylight gave you (including the ?token= query string).
4. Save.

Repeat for each product you mapped in step 2.

Caution

Gumroad sends the same ping URL for every sale of that product. Keylight uses the product_permalink field in the ping payload to pick the right Keylight product, so you can paste the same URL into multiple Gumroad products as long as each permalink is in your mapping.

4. Test the connection

Gumroad’s product editor includes a Send test ping button. Keylight detects test pings (the form field test=true) and short-circuits with 204 No Content — no license is issued, no payment record is written. A 204 here means your URL, token, and permalink are all wired correctly.

If you see a 400, the most likely cause is one of:

• The token query parameter doesn’t match what Keylight stored — rotate it and re-paste.
• The Gumroad permalink isn’t in your mapping — add a row in Settings → Integrations → Gumroad.
• Your account is in a state that doesn’t allow new licenses (e.g. suspended) — check Account → Status.

What happens on a real sale

When a customer completes a real Gumroad checkout, Gumroad fires a resource_name=sale ping. Keylight verifies the token, looks up the app from the permalink map, mints a fresh license, and records the payment. See How Gumroad payments flow for the full sequence and the Webhook reference for field-by-field details.

Disconnecting

Settings → Integrations → Gumroad → Disconnect clears the webhook token, seller ID, and permalink map in one shot. Existing licenses are not affected — only new pings stop minting. Disconnect is reversible: re-enable to get a new token (the old one cannot be recovered).