Kontraktr™ API Reference

35 endpoints across 11 categories · REST / JSON over HTTPS

Total Endpoints

API Categories

Webhook Events

REST

JSON over HTTPS

Authentication

Authenticated endpoints require a valid NextAuth session cookie. For programmatic access, use the session JWT in the Authorization: Bearer <token> header. Public endpoints under /api/public/* require no authentication.

Rate Limiting

API requests are rate-limited per IP and per user session. Standard limits are 100 requests per minute for authenticated endpoints and 30 per minute for public endpoints. Rate limit headers are included in every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset.

Create, read, update, and manage print jobs.

Manage customer records and contacts.

Invoice management, payments, and financial operations.

Public quote calculation endpoints for instant pricing.

Public endpoints for customer-facing portal. Authenticated by portal slug, no API key required.

Manage outbound webhook subscriptions for real-time event notifications.

Search supplier catalogs, check inventory, and get pricing from S&S Activewear, SanMar, and more.

Job scheduling, calendar views, and production queue.

Business analytics, revenue tracking, and KPIs.

Shop settings, user management, and system configuration.

Rate shopping, label generation, and shipment tracking.

Webhook Events

7 event types with real-time delivery

Kontraktr™ delivers webhook events to your registered endpoints in real time. Each event includes a JSON payload with the event type, timestamp, and relevant data. Events are signed with HMAC-SHA256 for verification.

Webhook Security

HMAC-SHA256 signature verification

How It Works

When you create a webhook endpoint, a unique signing secret (whsec_...) is returned once. Store it securely.
Each delivery includes three headers: X-Webhook-Signature, X-Webhook-Timestamp, and X-Webhook-Id.
The signature is computed as sha256=HMAC(timestamp.body, secret).
Recompute the HMAC on your end and compare using a timing-safe comparison function.
Reject events where the timestamp is older than 5 minutes to prevent replay attacks.

Webhook Headers

Header	Description
`X-Webhook-Signature`	HMAC-SHA256 hex digest prefixed with `sha256=`
`X-Webhook-Timestamp`	Unix timestamp (seconds) of when the event was dispatched
`X-Webhook-Id`	Unique delivery UUID for idempotency checks
`Content-Type`	Always `application/json`

Signature Verification

import crypto from "crypto";

function verifyWebhookSignature(
  body: string,
  signature: string,
  timestamp: string,
  secret: string
): boolean {
  const payload = `${timestamp}.${body}`;
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(`sha256=${expected}`),
    Buffer.from(signature)
  );
}

// In your Express/Next.js handler:
app.post("/webhook", (req, res) => {
  const sig = req.headers["x-webhook-signature"];
  const ts = req.headers["x-webhook-timestamp"];
  const valid = verifyWebhookSignature(
    JSON.stringify(req.body), sig, ts, process.env.WEBHOOK_SECRET
  );
  if (!valid) return res.status(401).send("Invalid signature");
  // Process event...
  res.status(200).send("OK");
});

Retry Policy

Kontraktr™ retries failed webhook deliveries with exponential backoff:

Attempt	Delay	Notes
1	Immediate	Initial delivery
2	30 seconds	First retry
3	5 minutes	Second retry
4	30 minutes	Third retry
5	2 hours	Final retry

A delivery is considered failed if your endpoint returns a non-2xx status code or times out after 10 seconds. After 5 failed attempts, the endpoint is automatically disabled. You can re-enable it from Settings → Webhooks.

Use the X-Webhook-Id header for idempotency to safely handle duplicate deliveries.

Best Practices

Always verify the HMAC signature before processing events
Respond with 200 OK within 10 seconds to avoid retries
Process webhook payloads asynchronously (queue the event, respond immediately)
Use the X-Webhook-Id header for idempotency
Reject timestamps older than 5 minutes to prevent replay attacks
Store the signing secret securely in environment variables
Use the test endpoint to verify your integration before going live

Loading…

Header

Description

X-Webhook-Signature

HMAC-SHA256 hex digest prefixed with sha256=

X-Webhook-Timestamp

Unix timestamp (seconds) of when the event was dispatched

X-Webhook-Id

Unique delivery UUID for idempotency checks

Content-Type

Always application/json

import crypto from "crypto"; function verifyWebhookSignature( body: string, signature: string, timestamp: string, secret: string ): boolean { const payload = `${timestamp}.${body}`; const expected = crypto .createHmac("sha256", secret) .update(payload) .digest("hex"); return crypto.timingSafeEqual( Buffer.from(`sha256=${expected}`), Buffer.from(signature) ); } // In your Express/Next.js handler: app.post("/webhook", (req, res) => { const sig = req.headers["x-webhook-signature"]; const ts = req.headers["x-webhook-timestamp"]; const valid = verifyWebhookSignature( JSON.stringify(req.body), sig, ts, process.env.WEBHOOK_SECRET ); if (!valid) return res.status(401).send("Invalid signature"); // Process event... res.status(200).send("OK"); });

Attempt

Delay

Notes

Immediate

Initial delivery

30 seconds

First retry

5 minutes

Second retry

30 minutes

Third retry

2 hours

Final retry

Kontraktr™ API Reference

Authentication

Rate Limiting

Jobs

Customers

Invoices & Billing

Quote Calculator

Customer Portal

Webhooks

Suppliers & Inventory

Calendar & Scheduling

Analytics & Reports

Settings & Configuration

Shipping

Webhook Events

Webhook Security

How It Works

Webhook Headers

Signature Verification

Retry Policy

Best Practices

Kontraktr™ API Reference

Authentication

Rate Limiting

Jobs

Customers

Invoices & Billing

Quote Calculator

Customer Portal

Webhooks

Suppliers & Inventory

Calendar & Scheduling

Analytics & Reports

Settings & Configuration

Shipping

Webhook Events

Webhook Security

How It Works

Webhook Headers

Signature Verification

Retry Policy

Best Practices