Documentation/developers/webhooks.md

# Webhooks

## Overview

The platform sends webhook notifications for key events. Configure webhook endpoints to receive real-time updates.

## Configuration

Register webhook endpoint:

```http
POST /webhooks
Authorization: Bearer <token>

{
  "url": "https://your-system.com/webhook",
  "events": ["application.approved", "certificate.issued"],
  "secret": "your-webhook-secret"
}
```

## Event Types

| Event | Trigger |
|-------|---------|
| `application.submitted` | New application received |
| `application.approved` | Application approved |
| `application.rejected` | Application rejected |
| `application.returned` | Returned for corrections |
| `certificate.issued` | License NFT minted |
| `certificate.revoked` | License revoked |

## Payload Format

```json
{
  "event": "application.approved",
  "timestamp": "2026-02-09T10:00:00Z",
  "data": {
    "applicationId": "APP-2026-00001",
    "licenseType": "TRADE_LICENSE",
    "applicantId": "DL-12345678"
  }
}
```

## Signature Verification

Verify webhook authenticity using HMAC-SHA256:

```javascript
const crypto = require('crypto');

function verifySignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}
```

Header: `X-Webhook-Signature: sha256=<signature>`

## Retry Policy

Failed deliveries (non-2xx response) are retried:
- 1st retry: 1 minute
- 2nd retry: 5 minutes
- 3rd retry: 30 minutes
- 4th retry: 2 hours
- 5th retry: 24 hours

After 5 failures, webhook is disabled. Re-enable via API.
docs: Rebuild documentation as enterprise-grade TLAS platform - Migrate from custom HTTP server to VitePress framework - Rename project to Tokenized License Approval System (TLAS) - Add comprehensive documentation for all stakeholders: - Business: Executive summary, value proposition, governance - Operations: Infrastructure, installation, monitoring, backup - Departments: User guide, workflows, verification, issuance - Developers: API reference, authentication, webhooks, SDKs - Compliance: OWASP, DPDP Act, IT Act, audit framework - Add modern theme with dark mode and full-text search - Update Dockerfile for VitePress build process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-10 00:05:20 -04:00			`# Webhooks`

			`## Overview`

feat: Rebrand to License Authority with Govt of Goa branding - Replace TLAS with License Authority throughout documentation - Add Government of Goa emblem/logo (Ashoka Chakra style) - Update frontend branding to match documentation - Add configurable Swagger API link via VITE_API_BASE_URL env var - Fix Docker build for VitePress (git dependency, .dockerignore) - Fix helmet security headers for HTTP deployments - Add CORS support for VM deployment Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-10 00:46:25 -04:00			`The platform sends webhook notifications for key events. Configure webhook endpoints to receive real-time updates.`
docs: Rebuild documentation as enterprise-grade TLAS platform - Migrate from custom HTTP server to VitePress framework - Rename project to Tokenized License Approval System (TLAS) - Add comprehensive documentation for all stakeholders: - Business: Executive summary, value proposition, governance - Operations: Infrastructure, installation, monitoring, backup - Departments: User guide, workflows, verification, issuance - Developers: API reference, authentication, webhooks, SDKs - Compliance: OWASP, DPDP Act, IT Act, audit framework - Add modern theme with dark mode and full-text search - Update Dockerfile for VitePress build process Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-10 00:05:20 -04:00
			`## Configuration`

			`Register webhook endpoint:`

			```http
			`POST /webhooks`
			`Authorization: Bearer <token>`

			`{`
			`"url": "https://your-system.com/webhook",`
			`"events": ["application.approved", "certificate.issued"],`
			`"secret": "your-webhook-secret"`
			`}`
			```

			`## Event Types`

			`\| Event \| Trigger \|`
			`\|-------\|---------\|`
			\| `application.submitted` \| New application received \|
			\| `application.approved` \| Application approved \|
			\| `application.rejected` \| Application rejected \|
			\| `application.returned` \| Returned for corrections \|
			\| `certificate.issued` \| License NFT minted \|
			\| `certificate.revoked` \| License revoked \|

			`## Payload Format`

			```json
			`{`
			`"event": "application.approved",`
			`"timestamp": "2026-02-09T10:00:00Z",`
			`"data": {`
			`"applicationId": "APP-2026-00001",`
			`"licenseType": "TRADE_LICENSE",`
			`"applicantId": "DL-12345678"`
			`}`
			`}`
			```

			`## Signature Verification`

			`Verify webhook authenticity using HMAC-SHA256:`

			```javascript
			`const crypto = require('crypto');`

			`function verifySignature(payload, signature, secret) {`
			`const expected = crypto`
			`.createHmac('sha256', secret)`
			`.update(payload)`
			`.digest('hex');`
			`return crypto.timingSafeEqual(`
			`Buffer.from(signature),`
			`Buffer.from(expected)`
			`);`
			`}`
			```

			Header: `X-Webhook-Signature: sha256=<signature>`

			`## Retry Policy`

			`Failed deliveries (non-2xx response) are retried:`
			`- 1st retry: 1 minute`
			`- 2nd retry: 5 minutes`
			`- 3rd retry: 30 minutes`
			`- 4th retry: 2 hours`
			`- 5th retry: 24 hours`

			`After 5 failures, webhook is disabled. Re-enable via API.`