Documentation
Webhooks
Webhooks notify your system in real time. You register a URL and subscribe to events; Certifylize sends HTTP POST requests.
Request basics
- POST + application/json
- User-Agent: Certifylize-Webhooks/1.0
- Body = JSON event envelope
Headers
Useful headers for verification and debugging:
- x-certifylize-signature
- x-certifylize-timestamp
- x-certifylize-delivery-id
- x-certifylize-event-type
- x-certifylize-attempt
Event types
Internal DB enums and public event names:
| Public event | DB enum | Description |
|---|---|---|
| edu.api_key.created | EDU_API_KEY_CREATED | API key created. |
| edu.api_key.revoked | EDU_API_KEY_REVOKED | API key revoked. |
| edu.credential.issued | EDU_CREDENTIAL_ISSUED | Credential issued. |
| edu.credential.revoked | EDU_CREDENTIAL_REVOKED | Credential revoked. |
| edu.credential.updated | EDU_CREDENTIAL_UPDATED | Credential updated. |
Security notes
Verify signature, validate timestamp and treat payloads defensively.
Signature verification
message = <timestamp>.<rawBody>
expected = sha256=<hex(HMAC_SHA256(secret, message))>Replay protection
Reject requests with stale timestamps (e.g. > 5 minutes).
Node.js example
import crypto from "crypto";
const message = ts + "." + rawBody;
const expected = crypto.createHmac("sha256", secret).update(message).digest("hex");Python example
message = f"{ts}.{raw}"
expected = hmac.new(secret, message.encode("utf-8"), hashlib.sha256).hexdigest()Sample payload
{
"id": "evt_...",
"type": "edu.credential.issued",
"createdAt": "2026-02-21T21:30:46.677Z"
}Troubleshooting
- Use raw body for signature verification.
- Return 2xx quickly and process asynchronously.
- Use delivery ID for idempotency.
Test locally with http://127.0.0.1:8788/webhook and /webhooks/:id/test.