Resources/The Agent API Atlas/E-commerce/Gumroad

Everything an AI agent can do with the Gumroad API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints40

API versionv2

Last updated23 June 2026

Orientation

How the Gumroad API works.

The Gumroad API is how an app or AI agent works with a seller's Gumroad account: listing products, creating offer codes, reading sales, refunding a sale, or verifying a license key. Access is granted through an OAuth 2.0 access token whose scopes decide what a call can read or write, from view_sales for reading sales up to account for full access. Gumroad can also push events like a sale or a refund to a registered URL through a resource subscription.

40Endpoints

9Capability groups

16Read

24Write

5Permissions

Authentication

Gumroad uses OAuth 2.0. A seller authorizes an application at gumroad.com/oauth/authorize, and the application exchanges the code for an access token at api.gumroad.com/oauth/token. The token is sent on each call as an Authorization: Bearer header or as an access_token parameter. A seller can also generate an access token for their own application in Gumroad's settings without the full redirect.

Permissions

Each method maps to an OAuth scope. view_profile gives read access to public profile and products, view_sales reads sales and subscribers, edit_products reads and writes products and their variants, offer codes, and custom fields, edit_sales refunds sales and resends receipts, and mark_sales_as_shipped marks sales shipped. The account scope grants full access to every endpoint, so a least-privilege integration requests only the narrow scopes it needs.

Versioning

Gumroad serves a single version, v2, reached through the /v2 path, with no dated version header to pin. Changes are rolled out in place rather than as new versions, so an integration tracks them through the API documentation, like the deprecation of offset pagination in favor of a cursor.

Data model

The API is resource-oriented JSON over HTTPS at https://api.gumroad.com, under the /v2 path. Products hold variant categories, variants, offer codes, and custom fields as nested resources, while sales, subscribers, and licenses sit at the account level. A response carries a success boolean, and a resource subscription pushes events like a sale or a refund to a registered URL.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Gumroad determines what it can reach. There is a route for making calls and a route for receiving events, and each is governed by the access token behind it and the scopes that token carries.

Ways to connect

REST API

The REST API answers at https://api.gumroad.com, with every method under the /v2 path. It takes form-encoded or JSON request bodies and returns JSON, where each response carries a success boolean. A call authenticates with an OAuth 2.0 access token, sent as an Authorization: Bearer header or as an access_token parameter.

Best forConnecting an app or AI agent to Gumroad.

Governed byThe access token and the scopes it carries.

Docs ↗

Resource subscriptions (webhooks)

A resource subscription registers a post_url that Gumroad sends an HTTP POST to whenever a chosen event fires, like a sale, a refund, a dispute, or a membership cancellation. A subscription is created through the API with the view_sales scope and is tied to the OAuth application that created it. The post_url must be a public HTTP or HTTPS URL.

Best forReceiving Gumroad events at an app or AI agent without polling.

Governed byThe view_sales scope and the OAuth application behind the subscription.

Docs ↗

Authentication

OAuth 2.0 access token

Gumroad uses OAuth 2.0. A seller authorizes an application at gumroad.com/oauth/authorize, and the application exchanges the returned code for an access token at api.gumroad.com/oauth/token. The token is sent on each call as an Authorization: Bearer header or as an access_token parameter, and it carries the scopes the seller approved.

TokenOAuth 2.0 access token (Bearer)

Best forConnecting an app or AI agent to a seller's Gumroad account.

Docs ↗

Application access token

A seller can generate an access token for their own application directly in Gumroad's settings, without running the full authorization redirect. The token still carries scopes and is used the same way as an OAuth token, which suits an integration that only ever acts on the seller's own account.

TokenOAuth 2.0 access token (Bearer)

Best forActing only on the seller's own Gumroad account.

Docs ↗

Capability map

What an AI agent can do in Gumroad.

The Gumroad API is split into areas an agent can act on, like products, offer codes, sales, subscribers, and licenses. Each area maps to its own scopes, and some scopes give access to far more than others.

Products

7 endpoints

List and read products, create and update them, enable or disable a product, and delete one.

Writes here change real product data.

View endpoints →

Variant categories & variants

10 endpoints

List, create, read, update, and delete variant categories on a product and the variants inside each category.

Writes here change real variant data.

View endpoints →

Offer codes

5 endpoints

List, read, create, update, and delete the discount codes attached to a product.

Writes here change real offer code data.

View endpoints →

Custom fields

4 endpoints

List, create, update, and delete the custom fields a product asks buyers to fill in.

Writes here change real custom field data.

View endpoints →

Sales

5 endpoints

List a seller's sales, read a single sale, mark a sale as shipped, refund a sale, and resend a purchase receipt.

Writes here move real money or change real sale data.

View endpoints →

Subscribers

2 endpoints

List the subscribers of a membership product and read a single subscriber.

Writes here change real subscriber data.

View endpoints →

Licenses

3 endpoints

Verify a license key, and enable or disable a license.

Writes here change real license data.

View endpoints →

Resource subscriptions (webhooks)

3 endpoints

List, create, and delete resource subscriptions, the webhooks Gumroad posts to when an event fires.

Writes here change which events get pushed to a URL.

View endpoints →

User

1 endpoint

Read the authenticated seller's account information.

Writes here change real user data.

View endpoints →

Endpoint reference

Every Gumroad API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Products List and read products, create and update them, enable or disable a product, and delete one.7
GET	`/v2/products`	List all products owned by the authenticated seller, newest first.	read	`view_profile`	Current
Needs view_profile (or account). The sales_count and sales_usd_cents fields appear only when the token also has view_sales. Acts onproduct Permission (capability)`view_profile` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/products/:id`	Retrieve a single product by its id.	read	`view_profile`	Current
Needs view_profile (or account). Acts onproduct Permission (capability)`view_profile` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/products`	Create a new product.	write	`edit_products`	Current
Needs edit_products (or account). Acts onproduct Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/products/:id`	Update an existing product.	write	`edit_products`	Current
Needs edit_products (or account). Acts onproduct Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/products/:id/enable`	Enable (publish) a product so it can be bought.	write	`edit_products`	Current
Needs edit_products (or account). Acts onproduct Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/products/:id/disable`	Disable (unpublish) a product so it can no longer be bought.	write	`edit_products`	Current
Needs edit_products (or account). Acts onproduct Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/products/:id`	Permanently delete a product.	write	`edit_products`	Current
Needs edit_products (or account). Irreversible. Acts onproduct Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Variant categories & variants List, create, read, update, and delete variant categories on a product and the variants inside each category.10
GET	`/v2/products/:product_id/variant_categories`	List the variant categories on a product (a variant category is a group of options, like Size).	read	`edit_products`	Current
Needs edit_products (or account); variant categories live under the edit_products scope. Acts onvariant_category Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/products/:product_id/variant_categories`	Create a variant category on a product.	write	`edit_products`	Current
Needs edit_products (or account). Acts onvariant_category Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/products/:product_id/variant_categories/:id`	Retrieve a single variant category.	read	`edit_products`	Current
Needs edit_products (or account). Acts onvariant_category Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/products/:product_id/variant_categories/:id`	Update a variant category.	write	`edit_products`	Current
Needs edit_products (or account). Acts onvariant_category Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/products/:product_id/variant_categories/:id`	Delete a variant category.	write	`edit_products`	Current
Needs edit_products (or account). Acts onvariant_category Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/products/:product_id/variant_categories/:variant_category_id/variants`	List the variants inside a variant category.	read	`edit_products`	Current
Needs edit_products (or account). Acts onvariant Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/products/:product_id/variant_categories/:variant_category_id/variants`	Create a variant inside a variant category.	write	`edit_products`	Current
Needs edit_products (or account). Acts onvariant Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/products/:product_id/variant_categories/:variant_category_id/variants/:id`	Retrieve a single variant.	read	`edit_products`	Current
Needs edit_products (or account). Acts onvariant Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/products/:product_id/variant_categories/:variant_category_id/variants/:id`	Update a variant.	write	`edit_products`	Current
Needs edit_products (or account). Acts onvariant Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/products/:product_id/variant_categories/:variant_category_id/variants/:id`	Delete a variant.	write	`edit_products`	Current
Needs edit_products (or account). Acts onvariant Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Offer codes List, read, create, update, and delete the discount codes attached to a product.5
GET	`/v2/products/:product_id/offer_codes`	List the offer codes (discount codes) on a product.	read	`view_profile`	Current
Reads need view_profile (or account); creating, updating, and deleting an offer code need edit_products. Acts onoffer_code Permission (capability)`view_profile` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/products/:product_id/offer_codes/:id`	Retrieve a single offer code.	read	`view_profile`	Current
Reads need view_profile (or account). Acts onoffer_code Permission (capability)`view_profile` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/products/:product_id/offer_codes`	Create an offer code on a product.	write	`edit_products`	Current
Needs edit_products (or account). Acts onoffer_code Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/products/:product_id/offer_codes/:id`	Update an offer code, for example its discount or maximum number of uses.	write	`edit_products`	Current
Needs edit_products (or account). Acts onoffer_code Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/products/:product_id/offer_codes/:id`	Delete an offer code.	write	`edit_products`	Current
Needs edit_products (or account). Acts onoffer_code Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Custom fields List, create, update, and delete the custom fields a product asks buyers to fill in.4
GET	`/v2/products/:product_id/custom_fields`	List the custom fields a product asks buyers to fill in.	read	`edit_products`	Current
Custom fields live under the edit_products scope (or account), for reads as well as writes. Acts oncustom_field Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/products/:product_id/custom_fields`	Create a custom field on a product.	write	`edit_products`	Current
Needs edit_products (or account). Acts oncustom_field Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/products/:product_id/custom_fields/:id`	Update a custom field on a product.	write	`edit_products`	Current
Needs edit_products (or account). Acts oncustom_field Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/products/:product_id/custom_fields/:id`	Delete a custom field from a product.	write	`edit_products`	Current
Needs edit_products (or account). Acts oncustom_field Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Sales List a seller's sales, read a single sale, mark a sale as shipped, refund a sale, and resend a purchase receipt.5
GET	`/v2/sales`	List the authenticated seller's successful sales across all products, newest first.	read	`view_sales`	Current
Needs view_sales (or account). Returns up to 10 sales per page and can be filtered by date, email, product, or order. Use the next_page_key cursor to page. Acts onsale Permission (capability)`view_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/sales/:id`	Retrieve a single sale by its id.	read	`view_sales`	Current
Needs view_sales (or account). Acts onsale Permission (capability)`view_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/sales/:id/mark_as_shipped`	Mark a sale of a physical product as shipped, optionally with tracking.	write	`mark_sales_as_shipped`	Current
Needs the mark_sales_as_shipped scope specifically; view_sales alone is not enough. Acts onsale Permission (capability)`mark_sales_as_shipped` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/sales/:id/refund`	Refund a sale, fully or partially.	write	`edit_sales`	Current
Needs the edit_sales scope, which grants refunding sales and resending receipts. This moves real money back to the buyer. Acts onsale Permission (capability)`edit_sales` VersionAvailable since the API’s base version Webhook event`refund` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/sales/:id/resend_receipt`	Resend the purchase receipt email for a sale.	write	`edit_sales`	Current
Needs the edit_sales scope. Acts onsale Permission (capability)`edit_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Subscribers List the subscribers of a membership product and read a single subscriber.2
GET	`/v2/products/:product_id/subscribers`	List the subscribers of a membership or recurring product.	read	`view_sales`	Current
Needs view_sales (or account); subscriber data sits under the view_sales scope. Acts onsubscriber Permission (capability)`view_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/subscribers/:id`	Retrieve a single subscriber by its id.	read	`view_sales`	Current
Needs view_sales (or account). Acts onsubscriber Permission (capability)`view_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Licenses Verify a license key, and enable or disable a license.3
POST	`/v2/licenses/verify`	Verify a license key for a product and read its details.	read	—	Current
No OAuth scope or access token required; it takes the product_id and license_key. By default each verify increments the uses count, unless increment_uses_count is set to false. Acts onlicense Permission (capability)None required VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/licenses/enable`	Enable a license key so it verifies as valid again.	write	`edit_products`	Current
Needs edit_products (or account); takes the product_id and license_key. Acts onlicense Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/licenses/disable`	Disable a license key so it no longer verifies as valid.	write	`edit_products`	Current
Needs edit_products (or account); takes the product_id and license_key. Acts onlicense Permission (capability)`edit_products` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Resource subscriptions (webhooks) List, create, and delete resource subscriptions, the webhooks Gumroad posts to when an event fires.3
GET	`/v2/resource_subscriptions`	List the resource subscriptions for a given resource_name, like sale or refund.	read	`view_sales`	Current
Needs view_sales (or account). A resource_name query parameter selects which event's subscriptions to list. Each subscription is tied to the OAuth application that created it. Acts onresource_subscription Permission (capability)`view_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/v2/resource_subscriptions`	Create a resource subscription so Gumroad posts to a URL when the chosen event fires.	write	`view_sales`	Current
Needs view_sales (or account). Takes a resource_name and a post_url, which must be a public HTTP or HTTPS URL, not localhost, 127.0.0.1, or 0.0.0.0. Acts onresource_subscription Permission (capability)`view_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/resource_subscriptions/:id`	Delete a resource subscription so its event is no longer posted.	write	`view_sales`	Current
Needs view_sales (or account). Only the OAuth application that created a subscription can delete it. Acts onresource_subscription Permission (capability)`view_sales` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
User Read the authenticated seller's account information.1
GET	`/v2/user`	Retrieve the authenticated seller's account information.	read	`view_profile`	Current
Needs view_profile (or account). Acts onuser Permission (capability)`view_profile` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Gumroad can notify an app when something happens in a seller's account, like a sale being made, a sale being refunded, or a membership being cancelled. A resource subscription registers a URL that Gumroad posts to when the chosen event fires, so an agent learns about activity without polling.

Event	What it signals	Triggered by
`sale`	Fires when a product is sold, carrying the sale details. This is the primary signal to fulfill an order.	In-app only
`refund`	Fires when a sale is refunded, fully or partially.	`/v2/sales/:id/refund`
`dispute`	Fires when a buyer opens a chargeback dispute on a sale.	In-app only
`dispute_won`	Fires when a chargeback dispute is resolved in the seller's favor.	In-app only
`cancellation`	Fires when a buyer cancels a membership or subscription.	In-app only
`subscription_updated`	Fires when a subscription changes, like an upgrade, a downgrade, or a tier change.	In-app only
`subscription_ended`	Fires when a subscription ends, whether it ran to completion or was cancelled and lapsed.	In-app only
`subscription_restarted`	Fires when a previously cancelled or ended subscription is restarted.	In-app only

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Gumroad limits how fast an app or AI agent can call. The published documentation states that going over the limit returns an HTTP 429 response, without committing to a specific request-per-minute number.

Request rate

Gumroad's documentation states that the API applies rate limiting and that going over it returns an HTTP 429 Too Many Requests response, but it does not publish a specific requests-per-minute number. The practical approach is to watch for a 429, back off, and retry after a delay rather than assume a fixed ceiling.

Pagination

Listing endpoints page through results with a cursor. A list response, such as for sales, returns up to 10 records and includes a next_page_key, an opaque cursor passed back as page_key to fetch the next page. The older offset-based page parameter is deprecated and can time out on large result sets.

Request size

A sales list page returns up to 10 sales. The documentation does not state a fixed maximum request or response payload size.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
200	`success: false`	Gumroad signals many failures in the response body rather than only by HTTP status. The body carries a success boolean set to false and a message describing the problem, like 'The product was not found.'	Check the success field on every response, not just the HTTP status, and read the message before retrying.
401	`Unauthorized`	The access token is missing, invalid, or expired.	Send a valid access token in the Authorization: Bearer header, and re-run the OAuth flow if the token has been revoked.
403	`Forbidden`	The token is valid but lacks the scope the request needs, for example calling a write method with a read-only scope.	Grant the required scope, like edit_products or edit_sales, and re-authorize the application.
404	`Not Found`	The requested resource does not exist or is not visible to this token.	Confirm the id is correct and belongs to the authenticated seller.
422	`Unprocessable Entity`	The request was well-formed but a parameter is missing or invalid.	Read the message, correct the named parameter, and resend.
429	`Too Many Requests`	The request rate limit was exceeded.	Back off and retry after a delay, and smooth the request rate.

Versioning & freshness

Version history.

Gumroad serves a single version of its API, v2, with no dated version string to pin. Changes are rolled out in place, like the move to cursor pagination for listing endpoints.

Version history

What changed, and when

Latest versionv2

v2Current version

Current API version (v2)

Gumroad serves a single version of its API, v2, reached through the /v2 path. There is no dated version header to pin, so changes are rolled out in place and an integration tracks them through the API documentation. A notable in-place change is the move to cursor pagination for listing endpoints: the offset-based page parameter is deprecated in favor of an opaque next_page_key cursor, because the old parameter can time out on large result sets.

What changed

Cursor pagination: listing endpoints return a next_page_key cursor, and the offset-based page parameter is deprecated.
Resource subscriptions push the events sale, refund, dispute, dispute_won, cancellation, subscription_updated, subscription_ended, and subscription_restarted.
Scopes: view_profile, view_sales, edit_products, edit_sales, mark_sales_as_shipped, and account, with finer scopes available for least-privilege access.

2023-01-09Requires migration

License verify requires product_id

For products created on or after 9 January 2023, the license verify method must be called with the product_id rather than the older product_permalink. An integration verifying licenses for newer products identifies the product by product_id.

What changed

License verify: product_id replaces product_permalink for products created on or after 9 January 2023.

There is no version header to set, so an integration tracks changes through the API documentation.

Gumroad API documentation ↗

Questions

Gumroad API, answered.

How does authentication work, and what scopes are there?+

Gumroad uses OAuth 2.0. A seller approves an application and the application receives an access token, sent on each call as an Authorization: Bearer header or as an access_token parameter. The token carries scopes: view_profile for public profile and product reads, view_sales for sales and subscriber reads, edit_products for product, variant, offer code, and custom field writes, edit_sales for refunds and receipt resends, mark_sales_as_shipped for marking sales shipped, and account for full access to everything.

How do I know if a request failed?+

Check the success field on every response. Gumroad signals many failures in the body with success set to false and a message describing the problem, like 'The product was not found.', rather than relying only on the HTTP status. Authentication and rate-limit problems still use HTTP codes such as 401, 403, and 429, so check both the status and the success field.

How do I receive events instead of polling?+

Create a resource subscription. The API registers a post_url for a chosen resource_name, and Gumroad sends an HTTP POST to that URL when the event fires. The events are sale, refund, dispute, dispute_won, cancellation, subscription_updated, subscription_ended, and subscription_restarted. A subscription needs the view_sales scope, is tied to the OAuth application that created it, and the post_url must be a public HTTP or HTTPS URL.

Does verifying a license need authentication?+

No. The license verify method does not require an OAuth scope or an access token, so it can run from a buyer-facing application. It takes the product_id and the license_key. By default each verify increments the license's uses count; pass increment_uses_count as false to check a key without counting a use. Enabling or disabling a license does require the edit_products scope.

How does pagination work?+

Listing endpoints use a cursor. A list response, such as for sales, returns up to 10 records and a next_page_key, an opaque cursor that is passed back as page_key to fetch the next page. The older offset-based page parameter is deprecated and can time out on large result sets, so the cursor is the way to walk a long list.

What are the rate limits?+

Gumroad's documentation says the API is rate limited and that exceeding the limit returns an HTTP 429 Too Many Requests response, but it does not publish a specific requests-per-minute figure. The reliable approach is to watch for a 429, back off, and retry after a delay rather than assume a fixed ceiling.

What is Bollard AI?

Control what every AI agent can do in Gumroad.

Bollard AI sits between a team's AI agents and Gumroad. Grant each agent exactly the access it needs, read or write, resource by resource, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Gumroad token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Gumroad access in Bollard Browse all APIs →

Gumroad

Sales Agent

View sales ResourceOffReadFull use

Refund a sale ActionOffReadFull use

Products & offer codes ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Gumroad

How the Gumroad API works.

Connection & authentication methods.

REST API

Resource subscriptions (webhooks)

OAuth 2.0 access token

Application access token

What an AI agent can do in Gumroad.

Products

Variant categories & variants

Offer codes

Custom fields

Sales

Subscribers

Licenses

Resource subscriptions (webhooks)

User

Every Gumroad API method.

Products

Variant categories & variants

Offer codes

Custom fields

Sales

Subscribers

Licenses

Resource subscriptions (webhooks)

User

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Gumroad API, answered.

More e-commerce API guides for agents

BigCommerce

EasyPost

Lemon Squeezy

WooCommerce

Magento

Shippo

Control what every AI agent can do in Gumroad.