Every YarnTally instance ships with a REST API and webhook system. Integrate with your Tally, your ERP, your BI, or your custom automation.
Generate an API key from Settings → API Keys. Every request needs an Authorization: Bearer YOUR_KEY header.
curl https://yarntally.vercel.app/api/v1/customers \
-H "Authorization: Bearer sk_live_..." \
-H "Content-Type: application/json"Rate limits: 60 req/min on Trial/Suitable, 300 req/min on Pro, 1200 req/min on Premium+.
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/customers | List all customers (paginated) |
| POST | /api/v1/customers | Create a new customer |
| GET | /api/v1/customers/{id} | Fetch a specific customer |
| GET | /api/v1/inventory | List inventory across all godowns |
| GET | /api/v1/inventory/{sku} | Get stock for a specific SKU |
| POST | /api/v1/sales | Create a sale (generates invoice + decrements stock) |
| GET | /api/v1/sales | List sales (filter by date/customer/status) |
| GET | /api/v1/sales/{id} | Fetch a specific sale + invoice PDF URL |
| POST | /api/v1/purchase-orders | Create a purchase order |
| GET | /api/v1/reports/sales-summary | Aggregated sales summary |
| GET | /api/v1/reports/gstr1 | GSTR-1 formatted export |
Subscribe to any of these events from Settings → Webhooks. Every payload is HMAC-signed with your webhook secret in the X-YarnTally-Signature header.
sale.createdFires when a new sale is logged
sale.cancelledFires when a sale is cancelled
sale.dispatchedFires when order status changes to shipped
invoice.paidFires when payment is received against an invoice
customer.createdFires when a new customer is added
stock.lowFires when a SKU crosses the low-stock threshold
compliance.dueFires 7 days before any compliance deadline (LUT, EDPMS, GST)
// Verify webhook signature (Node.js)
import crypto from "crypto";
function verify(payload, signature, secret) {
const expected = crypto
.createHmac("sha256", secret)
.update(payload)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}API keys are scoped to your org via row-level security — you cannot accidentally read another org's data even with a hijacked key. Rotate keys any time from Settings. See our Security page for full details.