Documentation
Webhooks
Les webhooks notifient votre systeme en temps reel. Vous enregistrez une URL et des evenements; Certifylize envoie des requetes HTTP POST.
Bases de la requete
- POST + application/json
- User-Agent: Certifylize-Webhooks/1.0
- Body = JSON event envelope
En-tetes
En-tetes utiles pour verification et debug :
- x-certifylize-signature
- x-certifylize-timestamp
- x-certifylize-delivery-id
- x-certifylize-event-type
- x-certifylize-attempt
Types d'evenements
Enums DB internes et noms d'evenements publics :
| Evenement public | Enum DB | Description |
|---|---|---|
| edu.api_key.created | EDU_API_KEY_CREATED | API key created. |
| edu.api_key.revoked | EDU_API_KEY_REVOKED | API key revoked. |
| edu.credential.issued | EDU_CREDENTIAL_ISSUED | Credential issued. |
| edu.credential.revoked | EDU_CREDENTIAL_REVOKED | Credential revoked. |
| edu.credential.updated | EDU_CREDENTIAL_UPDATED | Credential updated. |
Notes de securite
Verifiez la signature, le timestamp et traitez les donnees defensivement.
Verification de signature
message = <timestamp>.<rawBody>
expected = sha256=<hex(HMAC_SHA256(secret, message))>Protection replay
Refusez les requetes avec timestamp trop ancien (p. ex. > 5 minutes).
Exemple Node.js
import crypto from "crypto";
const message = ts + "." + rawBody;
const expected = crypto.createHmac("sha256", secret).update(message).digest("hex");Exemple Python
message = f"{ts}.{raw}"
expected = hmac.new(secret, message.encode("utf-8"), hashlib.sha256).hexdigest()Payload exemple
{
"id": "evt_...",
"type": "edu.credential.issued",
"createdAt": "2026-02-21T21:30:46.677Z"
}Depannage
- Use raw body for signature verification.
- Return 2xx quickly and process asynchronously.
- Use delivery ID for idempotency.
Test local : http://127.0.0.1:8788/webhook et /webhooks/:id/test.