Back to Gateway Index
Gumroad logo
Payment Gateway

Gumroad

Creator-focused Merchant of Record for digital products — fastest zero-to-first-sale, steep price at scale

Builder Verdict

Pick Gumroad to validate a digital product in a weekend — migrate off before you scale. Not the right tool if you need a white-label checkout, reliable high-ticket economics, or responsive support.

Complexity

◆ Simple

Region

160+ countries

Fees

10% + $0.50 direct · 30% marketplace

Gumroad is a San Francisco-based creator platform (founded 2011) for selling digital downloads, memberships, physical goods, and license-keyed software. Since January 2025 it operates as a full Merchant of Record, handling global VAT/sales-tax compliance and chargeback risk in exchange for a flat 10% + $0.50 per-sale platform fee (30% for marketplace-driven sales) on top of standard Stripe/PayPal processing costs. Best known for the simplest setup in the category, it trades scaling economics and customization for a frictionless onboarding and a built-in Discover audience.

Last full audit: April 15, 2026

01

Trust Score Breakdown

Account Stability

45/100

Gumroad's weakest dimension. The Iffy AI moderation tool (open-sourced Jan 2025) runs on existing accounts and has permanently banned creators with years of clean sales history. Single-chargeback account shutdowns, purchase-your-own-product triggers, and unclear policy enforcement surface repeatedly in community reports. Appeal path is chatbot-gated with weak human override.

Developer Experience

70/100

Functional REST API v2 at api.gumroad.com/v2 with OAuth 2.0, Bearer-token auth, and HMAC-SHA256 signed Ping webhooks. License-key verification endpoint is useful for indie software. Documentation is serviceable but thin compared to Stripe, and tooling lags behind dev-first peers (Lemon Squeezy, Polar). Several community SDKs available on npm/PyPI.

Payout Reliability

62/100

Clean accounts receive weekly Friday payouts reliably (ACH direct deposit or PayPal). However, payout holds following chargebacks, disputes, or Iffy-triggered flags are frequently reported on Indie Hackers, BBB, and Trustpilot — often with months-long resolution times and no visibility into the reason.

Support Quality

35/100

Uniformly poor across Trustpilot (~1.4/5), BBB, Indie Hackers, and Hacker News. Chatbot-first intake with unanswered emails, weeks-to-months response times, and limited human escalation. CEO responsiveness has dropped sharply since the Iffy rollout.

Track Record

72/100

Operating since 2011; ~78,000 creators and $150M+ annual GMV as of 2025. Survived the near-shutdown in 2015 and remained independent. No major regulatory incidents. Merchant-of-Record transition (Jan 2025) was executed without an outage, though it reshuffled the creator experience.

Transparency

60/100

Headline pricing is plain (10% + $0.50 direct, 30% marketplace) on a single public page. Demerits: FX spread on non-USD payouts is not quantified, chargeback fee amounts are not publicly listed, ban criteria behind Iffy are opaque, and there is no public product changelog beyond sporadic X/blog posts.

02

Availability Matrix

Region Countries Currencies Payout Timing
Global (creator / seller) 160+ countries — see Gumroad Help Center for current list Charges processed in USD; buyers see prices converted to 20+ display currencies (GBP, EUR, JPY, INR, AUD, CAD, CHF, KRW, PLN, etc.) Friday weekly payout cycle (minimum $10 balance); direct bank deposit for supported countries, PayPal for others
Direct bank deposit supported US, Canada, UK, EU/EEA, Australia, Japan, Singapore, Hong Kong, New Zealand, Norway, Liechtenstein, Gibraltar, plus expansions including Malaysia, Kazakhstan, Ecuador, Uruguay, Mauritius, Jamaica, Bosnia & Herzegovina, Nigeria, Bahrain, Jordan, Albania, Dominican Republic, Uzbekistan, Bolivia, Armenia, Sri Lanka, Kuwait, Moldova, Panama, El Salvador, Oman, Iceland, Qatar, Bahamas, Cambodia, Mongolia, Guatemala, Botswana, Ghana, Tunisia, Senegal, Madagascar, North Macedonia, Rwanda, Paraguay, Tanzania, Namibia, Ethiopia, Brunei, Guyana, Macao, Benin, Côte d'Ivoire, Kenya, Monaco, St. Lucia Local currency payout via Stripe Connect; no FX fee on USD→USD, spread on other currencies Weekly (Friday) — typically 2-7 business days to bank
PayPal-only payout (fallback) All other creator countries without local bank support USD into verified PayPal account Weekly — subject to PayPal receiving fees (typically 2-3%)
NOT available US-sanctioned jurisdictions (Cuba, Iran, North Korea, Syria, Crimea/Donetsk/Luhansk) and countries on Stripe's restricted list
03

Feature Snapshot

Digital downloads / instant file delivery

Core product — instant post-purchase download link, supports large files and multiple attachments

Subscriptions / memberships

Monthly, quarterly, biannual, yearly intervals; members access content while subscribed (refined in 2025)

Physical products

Supported alongside digital — you handle fulfillment/shipping

License keys

Auto-generated per sale, verifiable via API — ideal for indie software and lifetime-deal sellers

Discount codes / coupons

Flat or percentage discounts, usage caps, per-product scoping

Affiliate program

Built-in — up to 50% commission, 30-day cookie, $10 minimum payout

Pay-what-you-want pricing

Set '0+' or 'X+' minimum to let buyers name their price

Email / newsletter / posts to customers

Built-in broadcast emails and per-product update posts to existing buyers

Tax handling (VAT / GST / sales tax)

Gumroad became Merchant of Record on Jan 1, 2025 — collects and remits all global taxes on creators' behalf

Webhooks (Ping)

Ping endpoint in settings notifies on sale / refund / subscription events; HMAC-SHA256 signed via X-Gumroad-Signature header

REST API (v2)

api.gumroad.com/v2 — OAuth 2.0, Bearer token auth, endpoints for products, sales, subscribers, license verification

~

Preorders / scheduled release

No dedicated preorder button; sellers schedule release dates and collect emails via 'publish-later' or offer as upcoming product

~

Custom checkout / storefront styling

Product pages and profile customizable (colors, cover, bio) but checkout flow is Gumroad-branded and cannot be self-hosted

04

Pricing Breakdown

Direct sale (your link, site, social) 10% + $0.50
Marketplace / Discover sale (Gumroad drives the customer) 30% flat per transaction
Monthly / subscription plan fee $0 — no monthly, no hidden charges
VAT / sales tax handling (since Jan 2025) Included — Gumroad is Merchant of Record and remits taxes globally
Refund processing fee Gumroad returns its 10% platform fee; creator absorbs original payment-processor costs
Chargeback / dispute fee Reported ~$15-$20 per dispute — not publicly listed on official pricing page
Payout — direct bank deposit (US) Free (standard ACH)
Payout — PayPal / instant payout PayPal/instant payouts incur a small fee; amount varies by region and not publicly listed
Currency conversion Hidden FX spread applied for non-USD payouts (reported ~1-2%)
05

Security & Compliance

PCI DSS compliance Inherited via payment partners (Stripe, PayPal) — Gumroad never stores raw card data, uses processor tokenization
Merchant of Record status Full MoR since Jan 1, 2025 — Gumroad is the seller-of-record for tax, fraud liability, and chargeback risk; creators are shielded from regulatory exposure
Transport encryption 256-bit TLS/SSL on all data transfers
3D Secure / SCA Handled at the processor layer (Stripe SCA + PayPal) — Gumroad inherits 3DS2 support; no creator-side configuration required
Fraud prevention Built-in rule-based checks plus Stripe Radar / PayPal fraud scoring; creators can block countries, emails, and IPs from settings
Account 2FA Email-based two-factor enabled by default on all creator accounts
Webhook signing Ping payloads signed with HMAC-SHA256 via X-Gumroad-Signature header for verification
06

Integration Prompt

Copy & use this 4507-char integration prompt

Production-ready prompt for Claude / GPT / Cursor — handles setup, security, webhooks & gotchas

 
You are integrating Gumroad as the payment layer for a [Django / Next.js / FastAPI / etc.] app selling [digital products / memberships / licensed software]. Gumroad is a Merchant of Record — it collects payment, handles global VAT/sales tax, and absorbs chargeback liability — so your job is NOT to process cards, but to (1) let customers reach Gumroad checkout, (2) receive verified server-to-server notifications when a sale completes, and (3) grant access or deliver license keys on your side.

Requirements:

1. **Checkout flow.** Do NOT build a custom card form. Gumroad's checkout URL is the product's public Gumroad link (e.g. https://{creator}.gumroad.com/l/{product_id}). Either redirect users to it or embed the Gumroad overlay widget (GumroadOverlay JS). Card PCI liability stays with Gumroad — never attempt to collect raw card data yourself.

2. **Ping (webhook) receiver.** In Gumroad Settings → Advanced → Ping endpoint, register a single URL pointing to your server (HTTPS required). Gumroad sends POST form-encoded payloads on `sale`, `refund`, `dispute`, `cancellation`, `subscription_updated`, etc. Implement an endpoint (e.g. `/webhooks/gumroad/`) that:
   - Reads the raw request body.
   - Verifies the `X-Gumroad-Signature` header using HMAC-SHA256 with your webhook secret. Reject anything that doesn't match in constant time (`hmac.compare_digest`).
   - Parses `sale` events to persist `sale_id`, `email`, `product_id`, `price_cents`, `license_key`, `subscription_id` (if present), `purchaser_id`.
   - Acknowledges with HTTP 200 only AFTER the DB write commits. Otherwise Gumroad will retry and you'll double-grant access.
   - Idempotency: key off `sale_id`; ignore duplicates.

3. **License verification (for software / paid APIs).** On client-side activation, POST to `https://api.gumroad.com/v2/licenses/verify` with `product_id` and `license_key`. Check the response: `success=true`, `purchase.refunded=false`, and `purchase.chargebacked=false`. Cache the verification result for a bounded window (e.g. 24h) — don't hit the API on every request. Increment the `uses` counter only on genuine first activations.

4. **Subscription / membership state.** For memberships, react to `subscription_ended`, `subscription_updated`, and `cancellation` pings by updating the subscriber's access flag in your DB. Do not infer expiry from a timer — always confirm via Gumroad's event stream or by polling `GET /v2/subscribers/{id}` with a Bearer token.

5. **Security best practices for Gumroad specifically:**
   - Store the webhook HMAC secret and API access token in environment variables — never in client code.
   - Use OAuth 2.0 access tokens (created at https://app.gumroad.com/api) with the narrowest scope needed.
   - Trust `email` from Ping only for notification; for account linking use `sale_id` as the primary join key because emails can be spoofed on the thank-you-page side.
   - Log all webhook payloads with PII redacted for audit.

6. **Edge cases to handle (all are real and community-reported):**
   - Refunds: Gumroad returns its 10% platform fee but you will NOT be refunded the underlying Stripe/PayPal processing fee; your refund handler should downgrade access, not fail silently.
   - Chargebacks: treat as a full revoke + suspension trigger; Gumroad MoR status absorbs the chargeback, but you must still pull access to the digital good.
   - Account suspensions (Iffy): if your Gumroad account is suspended, all product links 404. Build a static backup page for customers explaining how to re-reach you, so you aren't trapped.
   - Self-test purchases: do NOT buy your own product from the same account — Gumroad's fraud rules will flag it. Use Gumroad's test mode / a second account.

7. **Local development.** Use a tunnel (ngrok, Cloudflare Tunnel) to receive Ping events. Gumroad offers a 'Send test ping to URL' button — exercise it before the first real sale.

Reference endpoints:
- REST API base: `https://api.gumroad.com/v2`
- Products: `GET /products`, `GET /products/{id}`
- Sales: `GET /sales` (paginated, supports `after` cursor)
- Subscribers: `GET /subscribers/{id}`
- License verify: `POST /licenses/verify`
- Auth: Bearer token in `Authorization` header, OR OAuth 2.0 authorization-code flow for multi-creator apps.

Deliver: a Ping webhook handler, a license-verify helper, and a thin client for the REST API v2 covering products/sales/subscribers. Include HMAC verification tests and an idempotency test. Do not build a custom checkout page.

Replace [Django / Next.js / etc.] with your stack. Follows PCI DSS best practices and handles common edge cases.

07

Common Pitfalls

6 items
1

Flat 10% + $0.50 crushes high-ticket sellers

Fees no longer scale down with volume. On a $1,000 sale you lose ~$129 to Gumroad + Stripe combined. For anything above ~$50 average order value, dedicated processors or MoRs with tiered pricing (Paddle, Lemon Squeezy) are materially cheaper. The Jan 2022 move to this flat fee caused a lasting backlash among established creators.

2

Automated account suspensions with weak appeal path

Gumroad's 'Iffy' AI moderation (open-sourced Jan 2025) runs on existing accounts and has permanently banned creators with years of clean sales history. Suspensions for a single chargeback, buying your own product for testing, or unclear policy triggers are repeatedly reported. Support is chatbot-first; real human follow-up can take weeks or never arrive.

3

Payout holds without explanation

New creators — and occasionally established ones — report earnings held for weeks or months after disputes or fraud flags, with no visibility into the reason. BBB and Trustpilot profiles show consistent complaints on this pattern.

4

Checkout is Gumroad-branded and not self-hostable

Product pages and storefronts are customizable within Gumroad's rails, but the actual checkout URL, payment UI, and receipt emails all carry Gumroad branding. If you want a fully white-label checkout on your own domain, Gumroad is the wrong pick — use Stripe, Paddle, or Lemon Squeezy.

5

Refunds keep the transaction fee

When you refund a sale, Gumroad returns its 10% platform fee, but the underlying Stripe/PayPal processing fee (2.9% + $0.30) is NOT returned. On a refunded $10 sale you still eat roughly $0.59. Plan refund policies accordingly for low-ticket items.

6

Content-policy bans for AI-generated or low-effort products

Since Iffy launched, Gumroad has stepped up bans on AI-generated ebooks/courses and products flagged as scam-adjacent. Legitimate sellers in adjacent spaces (prompt packs, Notion templates) have been caught in the sweep. Keep product descriptions specific and differentiated.

08

Community Pulse

Creator sentiment in 2026 is sharply polarized. Beginners and low-volume sellers praise Gumroad for 10-minute setup, zero monthly cost, Merchant-of-Record tax handling, and the built-in Discover audience — many report making their first dollar here. But the dominant narrative from established creators is loss of trust: the 2022 move to a flat 10% + $0.50 fee is still a sore point for high-ticket sellers, and the 'Iffy' AI moderation tool (open-sourced Jan 2025) has produced a stream of permanent bans with weak human appeal paths. Customer support is widely described as chatbot-first and unresponsive, and payout holds following chargebacks or automated flags are a recurring complaint on Indie Hackers, Hacker News, BBB, and Trustpilot. The consensus playbook in community discussions: start on Gumroad, move to Lemon Squeezy or Paddle once monthly revenue clears roughly $2-3k.

💬 Gumroad as an Iffy Problem – My Permanent Ban Indie Hackers · 2025
💬 I lost all my customers and sales due to Gumroad suspending my account for one sale dispute Indie Hackers · 2024
💬 Does anyone use Gumroad for a SaaS business? Indie Hackers · 2024
💬 Tell HN: Gumroad payment — Account suspended, money refunded without any notice Hacker News · 2023
💬 Gumroad is going to increase its fees to 10% for everyone Jan 31st Indie Hackers · 2022

Sentiment last updated: April 2026 · We summarize — never copy — community content. Links go to original threads.

09

Changelog

  1. logo

    downloaded official Gumroad wordmark SVG from Wikimedia Commons and rasterized to 400x55 transparent PNG

  2. pricing

    added initial pricing rows: 10% + $0.50 direct, 30% marketplace, Merchant of Record tax handling, and refund/chargeback/payout/FX notes (latter four marked unverified)

  3. availability

    populated global seller availability (160+ countries), direct-bank-deposit country list, PayPal fallback, and sanctioned-region NOT-available row

  4. features

    populated 13 features covering digital/subscription/physical products, license keys, affiliate program, pay-what-you-want, MoR tax handling, Ping webhooks, and REST API v2

  5. security

    documented PCI DSS via Stripe/PayPal, MoR liability shift, 256-bit TLS, 3DS at processor layer, Radar fraud scoring, 2FA, and HMAC-SHA256 webhook signing

  6. pitfalls

    documented 6 key pitfalls: flat-fee economics, Iffy AI moderation bans, payout holds, non-white-label checkout, refund fee retention, and AI-content bans

  7. community

    wrote community pulse summary and linked 5 verified community threads (Indie Hackers, Hacker News)

  8. trust_score

    initial trust score calculated: overall 58/100. Notable dimensions — account_stability 45 (Iffy bans), support_quality 35 (chatbot-first), developer_experience 70, track_record 72

  9. integration_prompt

    generated stack-agnostic integration prompt covering checkout redirect, Ping webhook HMAC verification, license-verify endpoint, subscription state handling, and MoR edge cases

Back to Gateway Index

LearnWithHasan.com · Payment Gateway Index · No affiliate links · Builder-first