What you’ll get
- More reliable delivery, with automatic retries when your receiver is slow or briefly unavailable.
- More robust delivery logs in the dashboard showing every event, its status, and its response — so you can see exactly what was sent and what came back.
- Stronger event signing so your receiver can verify each event genuinely came from KarmaCheck.
- Multiple endpoints, allowing for more flexability when setting up event receivers.
What stays the same
- Your existing webhook URLs.
- The events you’re subscribed to.
What changes
The new system uses HMAC-SHA256 signature verification with a per-endpoint signing secret, delivered through industry-standardwebhook-* headers. This is not the same as the legacy karmacheck-signature HMAC — the headers, the signed content, the encoding, the timestamp units, and the secret itself all change. The table below shows exactly what differs.
| Legacy | New | |
|---|---|---|
| Signature header(s) | karmacheck-signature: t=<ms>,v1=<hex> | webhook-id, webhook-timestamp, webhook-signature: v1,<base64> |
| Signed content | <timestamp>.<sha256-hex-of-body> | <webhook-id>.<webhook-timestamp>.<raw-body> |
| Signature encoding | hex | base64 |
| Timestamp units | milliseconds | seconds |
| Signing secret | per-endpoint secret (no prefix) | new per-endpoint secret, whsec_… format |
| Authentication | username/password in the JSON body | removed — signature only |
User-Agent | KarmaCheck WebHook 2.0 | Svix-Webhooks/… |
Legacy endpoints with username/password authentication will be clearly marked.

Migration overview
During the migration, your Webhooks page shows two panels — the legacy webhooks and the new webhooks — each with its own on/off switch. The two switches are independent, which lets you safely run both systems in parallel before fully switching over.
- Copy your endpoints into the new system.
- Turn the new system on while legacy is still running. Your receiver will get every event twice — once from each system. This is the verification window.
- Confirm everything looks right.
- Turn the legacy system off.
Migration steps
1. Open the Webhooks screen
Go to the Company Settings page, found in your Profile dropdown, and navigate to the Webhooks tab.
2. Start the migration
You’ll see a banner inviting you to upgrade. Click Start Migration.
If the migration reports any errors, stop here and contact support.

3. Update signature verification
This step is required for every endpoint, not just former username/password users. Update your receiver to:- Read the new headers —
webhook-id,webhook-timestamp, andwebhook-signature— instead of the legacykarmacheck-signatureheader. - Use the new signing secret — each endpoint in the new system has its own
whsec_…secret. Copy it from the endpoint’s detail view in the dashboard; the legacy secret will not work. - Verify with the new scheme — HMAC-SHA256 over
<webhook-id>.<webhook-timestamp>.<raw-body>, base64-encoded.
karmacheck-signature check with this verification — see Verifying signatures in the Webhooks overview for a ready-to-use code sample.
4. Turn on the new delivery
Once your receiver is ready, flip the on/off switch on the new Webhooks panel to ON. Your receiver will now get every event twice — once from the old system, once from the new one. This is intentional. Use this window to verify the new path is working.5. Verify the new path is working
Trigger a test event you can observe end-to-end. In the new Webhooks panel, the delivery log shows each event the new system sent, the response code from your receiver, and the payload. On your receiver, you should see two copies of each event arriving and your code processing both successfully.
6. Turn off the old delivery
Once you’re confident the new system is working, flip the on/off switch on the legacy Webhooks panel to OFF. The new system is now your only delivery channel.7. Remove the old endpoints
The old endpoints stay listed but no longer receive events. You can delete them whenever you’re ready. Once they’re all removed, the old panel disappears. You’re done.Rolling back
You can reverse any step except deleting the old endpoints:- Pause the new delivery: flip the new panel’s switch OFF.
- Resume the old delivery: flip the old panel’s switch ON.
- Run both at once again: turn both switches ON.
Common questions
I already verify with a signing secret — do I still need to change anything?
I already verify with a signing secret — do I still need to change anything?
Yes. The legacy
karmacheck-signature HMAC is replaced entirely. The signature headers, the signed content, the encoding, the timestamp units, and the per-endpoint secret all change in the new system. See What changes for the side-by-side comparison.The new system shows errors after I turned it on.
The new system shows errors after I turned it on.
Open the delivery log in the new panel. Most often, error responses mean your receiver is still expecting the old signature format or using the old signing secret. Confirm that the signature verification update — new
webhook-* headers and the new whsec_… secret — has been deployed.I have multiple groups configured. Do I need to migrate each one?
I have multiple groups configured. Do I need to migrate each one?
No. Start Migration copies all of your endpoints in a single step.
Will I lose any events during the cutover?
Will I lose any events during the cutover?
No, as long as you verify in the dual-delivery window before turning off the old system. Each system has its own delivery queue; events flow through whichever system is on at the moment they’re emitted.