Marea → receiver dispatch for `orderpaid`
POSTed from Marea to the url registered on the matching webhook endpoint. Verify X-Marea-Signature against the endpoint’s signingSecret (HMAC-SHA256 over <timestamp>.<raw-body>). Retry policy: up to 3 attempts at 0s / +30s / +5min on any non-2xx response.
Authorizations
Marea API key. mk_dev_* keys are developer-scoped (bootstrap, list users, register webhook). mk_user_* keys are user-scoped (manage that one user's storefronts/products). Scopes: catalog:read, catalog:write, storefront:publish, me:verify, me:resendVerification, developer:bootstrap, developer:read, developer:issueUserKey, developer:webhooks.
Headers
HMAC-SHA256 signature, t=<unix-ts>,v1=<hex>. Verify before processing.
"t=1714867260,v1=5f9b...e3a1"
Event type identifier (mirrors type in the body).
Enum of webhook event types a WebhookEndpoint may subscribe to. Developer-scope endpoints can subscribe to any value; merchant-scope endpoints are restricted to order.* (PRD-14).
user.verified, user.cancelled, order.created, order.status_updated, order.paid The endpointId that owns this delivery.
"mk_we_0123456789abcdef"
Signing-secret version used to compute X-Marea-Signature (matches the endpoint's signingSecretVersion at dispatch time).
x >= 11
Scope of the endpoint that received the event.
developer, merchant UUID v4 — receivers should use this for idempotent processing.
Per-attempt delivery id. Different from X-Marea-Event-Id on retries of the same event.
Always marea-webhook/1.0.
"marea-webhook/1.0"
Body
Webhook envelope dispatched for order.paid events.
order.paid "order.paid"
UUID v4. Use for receiver-side idempotency.
ISO-8601 timestamp the event was emitted.
Webhook envelope/version contract identifier.
2026-05-12 "2026-05-12"
Response
Receiver accepted the event. Any 2xx terminates the retry loop.