Marketplace Webhooks

Register partner apps, rotate signing keys, subscribe to trust events, and operate delivery retries

Partner Marketplace & Webhook Delivery

ReformCode partner apps connect external developer tools to public score, trust, readiness, dependency, deploy, policy, and team command-center signals. The marketplace control plane now covers registration, signing-key rotation, HTTPS subscriptions, signed delivery queueing, retry tracking, dead-letter replay, and health reporting.

Register A Partner App

Admins can create a partner app with:

curl -X POST https://reformcode.com/api/admin/partners/marketplace \
  -H "content-type: application/json" \
  -d '{
    "name": "Acme Dev Tools",
    "websiteUrl": "https://acme.example",
    "contactEmail": "partners@acme.example",
    "requestedEvents": ["trust.updated", "score.updated"],
    "allowedOrigins": ["https://docs.acme.example"]
  }'

The response includes a one-time plaintextSecret. Store it immediately. Set PARTNER_SECRET_ENCRYPTION_KEY in production; ReformCode stores encrypted signing material for outbound delivery retries plus a hash and preview for audit checks.

Supported events:

  • score.updated
  • trust.updated
  • readiness.updated
  • team.command_center.updated
  • dependency.incident.created
  • deploy.certification.updated
  • policy.simulation.blocked

Configure Webhooks

Create a subscription for each partner endpoint:

curl -X POST https://reformcode.com/api/admin/partners/marketplace/{appId}/subscriptions \
  -H "content-type: application/json" \
  -d '{
    "endpointUrl": "https://hooks.acme.example/reformcode",
    "events": ["trust.updated", "score.updated"]
  }'

Webhook requests include:

  • x-reformcode-event
  • x-reformcode-delivery
  • x-reformcode-timestamp
  • x-reformcode-signature

Verify the signature as HMAC_SHA256(secret, timestamp + "." + body) and reject requests older than five minutes.

Partner endpoint requirements:

  • Use HTTPS.
  • Return 2xx only after the event is safely accepted.
  • Deduplicate by x-reformcode-delivery.
  • Preserve the raw request body for signature verification.
  • Ask ReformCode to rotate the key immediately if the secret is exposed.

Delivery Operations

Queued deliveries retry with backoff at 1, 5, 15, 30, and 60 minutes. After the retry budget is exhausted, the delivery moves to dead_lettered for manual replay or archive.

Operators can inspect marketplace health and delivery logs from GET /api/admin/partners/marketplace. The health report treats success below 95%, retrying deliveries, and dead-lettered events as launch risks.

Operational endpoints:

  • POST /api/admin/partners/marketplace/{appId}/deliveries enqueues signed deliveries for matching active subscriptions.
  • POST /api/admin/partners/marketplace/deliveries/dispatch sends due queued or retrying deliveries.
  • POST /api/admin/partners/webhook-deliveries/{deliveryId}/attempts records a response code or network error.
  • POST /api/admin/partners/webhook-deliveries/{deliveryId}/retry manually requeues a failed or dead-lettered delivery.

Key Rotation

Rotate keys regularly and whenever a partner suspects exposure:

curl -X POST https://reformcode.com/api/admin/partners/marketplace/{appId}/keys/rotate

Existing active keys move into rotating status with an expiry window. The new plaintext secret is returned once.