Dokumentim
Webhooks
Webhooks njoftojne sistemin tend ne kohe reale. Regjistron nje URL dhe evente; Certifylize dergon kerkesa HTTP POST.
Bazat e kerkeses
- POST + application/json
- User-Agent: Certifylize-Webhooks/1.0
- Body = JSON event envelope
Headers
Header te dobishem per verifikim dhe debug:
- x-certifylize-signature
- x-certifylize-timestamp
- x-certifylize-delivery-id
- x-certifylize-event-type
- x-certifylize-attempt
Llojet e eventeve
Enum-et e brendshme DB dhe emrat publik te eventeve:
| Event publik | DB enum | Pershkrimi |
|---|---|---|
| edu.api_key.created | EDU_API_KEY_CREATED | API key created. |
| edu.api_key.revoked | EDU_API_KEY_REVOKED | API key revoked. |
| edu.credential.issued | EDU_CREDENTIAL_ISSUED | Credential issued. |
| edu.credential.revoked | EDU_CREDENTIAL_REVOKED | Credential revoked. |
| edu.credential.updated | EDU_CREDENTIAL_UPDATED | Credential updated. |
Shenime sigurie
Verifiko firmen, timestamp dhe trajto payload-et ne menyre mbrojtese.
Verifikimi i firmes
message = <timestamp>.<rawBody>
expected = sha256=<hex(HMAC_SHA256(secret, message))>Mbrojtje replay
Refuzo kerkesat me timestamp te vjeter (p.sh. > 5 minuta).
Shembull Node.js
import crypto from "crypto";
const message = ts + "." + rawBody;
const expected = crypto.createHmac("sha256", secret).update(message).digest("hex");Shembull Python
message = f"{ts}.{raw}"
expected = hmac.new(secret, message.encode("utf-8"), hashlib.sha256).hexdigest()Payload shembull
{
"id": "evt_...",
"type": "edu.credential.issued",
"createdAt": "2026-02-21T21:30:46.677Z"
}Zgjidhja e problemeve
- Use raw body for signature verification.
- Return 2xx quickly and process asynchronously.
- Use delivery ID for idempotency.
Testo lokalisht me http://127.0.0.1:8788/webhook dhe /webhooks/:id/test.