Credentials
Webhook delivery
LearnCoin's asynchronous event notification system — signed HTTP POSTs to tenant-registered URLs for batch.anchored, credential.claimed, credential.revoked events.
Webhook delivery is how LearnCoin notifies tenants of asynchronous events. Tenants register an HTTPS endpoint via the dashboard; LearnCoin POSTs a signed JSON payload to that endpoint when an event fires. Events include batch.anchored.v1 (a batch's Merkle root landed on-chain), credential.claimed.v1 (a recipient clicked their magic link), credential.revoked.v1 (the tenant revoked a credential via API), and others.
Signatures use HMAC-SHA256 with a tenant-specific webhook secret. Tenants compute the HMAC over the raw request body and compare against the Learncoin-Signature header. Mismatch = drop the request. This protects against spoofed payloads from unauthorized sources.
Delivery is at-least-once with exponential backoff. LearnCoin retries a failed delivery 7 times with increasing delays (1s, 4s, 16s, 1m, 5m, 30m, 6h). Tenants' endpoints should be idempotent — the same event_id may arrive twice if the tenant's endpoint returned a 500 to the first attempt but actually processed it.