Webhook documentation
Webhooks push platform events (learning-progress updates, test results, RAG index updates, etc.) to external systems in real time. Typical uses: hooking up in-house systems, data lakes, Teams bots.
1. Basic specification
- Request format: HTTP POST
- Content-Type: application/json
- Retry: up to 3 retries at 5-second intervals
- Signed (HMAC-SHA256) verification supported
Webhooks are delivered asynchronously. Delivery order is guaranteed within the same user + project scope.
2. Security (signature verification)
Every webhook request includes an X-LMS-Signature header.
X-LMS-Signature: sha256=abcdef123456...
The signature is generated as:
signature = HMAC_SHA256(webhook_secret, request_body)
■ C# (signature-verification example)
var secret = "your_webhook_secret";
var body = await new StreamReader(Request.Body).ReadToEndAsync();
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
var computed = hmac.ComputeHash(Encoding.UTF8.GetBytes(body));
var computedHex = BitConverter.ToString(computed).Replace("-", "").ToLower();
var signature = Request.Headers["X-LMS-Signature"].ToString().Replace("sha256=", "");
if (computedHex != signature)
{
return Unauthorized();
}
3. Webhook event list
| Event | Description |
|---|---|
| user.progress.updated | User's learning progress updated |
| user.test.completed | Test / quiz completed |
| curriculum.course.updated | Course content updated |
| rag.index.rebuilt | RAG index rebuilt |
| rag.crawl.completed | Crawler finished fetching data |
| admin.user.created | New user created |
4. Example payloads
■ user.progress.updated
{
"event": "user.progress.updated",
"timestamp": "2025-03-01T12:40:00Z",
"data": {
"userId": "USR-1034",
"courseId": "CRS-AI-101",
"progress": 68,
"updatedBy": "yamada@company.com"
}
}
■ rag.index.rebuilt
{
"event": "rag.index.rebuilt",
"timestamp": "2025-03-01T09:10:15Z",
"data": {
"indexId": "IDX-2025-02-28",
"documentsIndexed": 4321,
"duration": "83 seconds",
"status": "success"
}
}
5. Retry policy
- 200 OK → delivery succeeded
- Non-200 → up to 3 retries at 5-second intervals
- 3 failures → moved to dead-letter list (viewable in admin)
6. Receiver-endpoint requirements
Your webhook receiver must:
- Require HTTPS
- Accept POST only
- Handle Content-Type: application/json
- Implement signature verification (recommended)
7. Test send (admin UI)
From the RAG-admin or admin screens you can trigger a test webhook. You can verify the connection without waiting for a real event.
Next: RAG pipeline docs →