Developer documentation

Build with Reedap

The Reedap REST API lets institutions issue, look up, and verify on-chain credentials, sync students and exam results into their LMS/SIS, and receive signed webhooks when meaningful events happen.

JSON over HTTPSBearer API keysHMAC-SHA256 webhooksCursor paginationTenant-scoped

Quickstart

Issue your first certificate in under two minutes.

Open Admin → API integrations and click Create key with the scopes you need.
Copy the key (shown only once) into your secret manager as REEDAP_API_KEY.
Call the API:

curl -X POST "https://reedap.com/api/public/v1/certificates" \
  -H "Authorization: Bearer $REEDAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "recipient_name": "Ada Lovelace",
    "recipient_email": "ada@example.com",
    "course": "Intro to Programming",
    "grade": "A",
    "issue_date": "2026-06-18"
  }'

The response includes a verify_url you can email to recipients or print on a certificate as a QR code.

Authentication

Tenant-scoped API keys, sent as Bearer tokens.

Every request (except public verify) must include an Authorization header:

Authorization: Bearer rdp_live_<prefix>_<secret>

Keys belong to one institution (tenant) and carry a set of scopes. You can create read-only keys for analytics dashboards and full-write keys for production SIS sync.

Scope	Grants
certificates:read	List and fetch certificates issued by your institution
certificates:write	Issue new certificates (on-chain mint runs async)
students:read	List students who hold your certificates
students:write	Invite students by email; auto-creates accounts
attempts:read	Read exam attempt results and scores

Treat keys like passwords. Never put them in client JS, mobile bundles, or git history. Revoke immediately from the dashboard if leaked.

Certificates

Issue, list, and look up credentials.

POST/certificatescertificates:write

Issues a new certificate. Returns the record plus a public verify_url. On-chain anchoring happens asynchronously — status starts as pending and transitions to minted once confirmed on BSC.

Parameters

Name	Type	Description
recipient_name	string	Required. Full name as it appears on the credential.
recipient_email	string?	Optional but recommended — enables student lookup.
course	string	Required. Program / course title.
grade	string?	Optional grade or classification.
issue_date	YYYY-MM-DD	Required.
expiry_date	YYYY-MM-DD?	Optional expiration.
metadata	object?	Free-form JSON, included in the on-chain hash.

Response

{
  "id": "5f8c…",
  "certificate_id": "REE-2026-ABCD1234",
  "recipient_name": "Ada Lovelace",
  "course": "Intro to Programming",
  "status": "pending",
  "data_hash": "0x9f…",
  "verify_url": "https://reedap.com/api/public/v1/verify/REE-2026-ABCD1234",
  "created_at": "2026-06-18T12:00:00Z"
}

Try it out

POST /api/public/v1/certificates

API key

Stored locally in this browser only. Create one in Admin → API integrations.

Request body (JSON)

GET/certificatescertificates:read

Lists certificates issued by your institution, newest first. Cursor-paginated.

Parameters

Name	Type	Description
limit	1-200, default 50	Max records to return.
cursor	ISO timestamp	Pass next_cursor from the previous page.
recipient_email	email	Filter by student email.
status	pending \| minting \| minted \| revoked \| failed	Filter by lifecycle state.

Example

curl -G "https://reedap.com/api/public/v1/certificates" \
  -H "Authorization: Bearer $REEDAP_API_KEY" \
  --data-urlencode "limit=20" \
  --data-urlencode "status=minted"

Response

{
  "data": [ { "id": "…", "certificate_id": "REE-…", "status": "minted", … } ],
  "next_cursor": "2026-06-18T11:59:00Z"
}

Try it out

GET /api/public/v1/certificates?limit=20

API key

Stored locally in this browser only. Create one in Admin → API integrations.

Query parameters — leave blank to omit

limit

status

recipient_email

cursor

GET/certificates/{id}certificates:read

Fetch a single certificate by internal UUID or public certificate_id.

Try it out

GET /api/public/v1/certificates/REE-2026-ABCD1234

API key

Stored locally in this browser only. Create one in Admin → API integrations.

Path parameters

id

Students

Enrol students and read your roster.

POST/studentsstudents:write

Invites a student by email. Creates an auth account if needed and adds them to your institution. Idempotent on email.

Example

curl -X POST "https://reedap.com/api/public/v1/students" \
  -H "Authorization: Bearer $REEDAP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email":"new@student.com","full_name":"New Student"}'

Response

{ "user_id": "9f…", "email": "new@student.com", "invited": true }

Try it out

POST /api/public/v1/students

API key

Stored locally in this browser only. Create one in Admin → API integrations.

Request body (JSON)

GET/studentsstudents:read

Returns the unique set of students who hold a certificate from your institution.

Parameters

Name	Type	Description
limit	1-200, default 50	Max records to return.
email	string	Filter by email.

Try it out

GET /api/public/v1/students?limit=50

API key

Stored locally in this browser only. Create one in Admin → API integrations.

Query parameters — leave blank to omit

limit

email

Exam attempts

Sync scores back into your LMS.

GET/attemptsattempts:read

Returns exam attempts across all exams owned by your institution.

Parameters

Name	Type	Description
limit	1-200, default 50
cursor	ISO timestamp	Pagination cursor.
exam_id	uuid	Filter to a single exam.
passed	true \| false	Filter by outcome.

Response

{
  "data": [
    {
      "id": "…",
      "exam_id": "…",
      "user_id": "…",
      "score": 87.5,
      "passed": true,
      "submitted_at": "2026-06-18T10:30:00Z"
    }
  ],
  "next_cursor": null
}

Try it out

GET /api/public/v1/attempts?limit=20

API key

Stored locally in this browser only. Create one in Admin → API integrations.

Query parameters — leave blank to omit

limit

exam_id

passed

cursor

Public verification

No auth required — anyone can verify.

Use this on a public website or in QR codes printed on your certificates. The endpoint looks up the credential, reads the on-chain record, and confirms the hash matches.

GET/verify/{certificate_id}no auth

Returns the certificate, tenant branding, and on-chain match status.

Example

curl "https://reedap.com/api/public/v1/verify/REE-2026-ABCD1234"

Response

{
  "found": true,
  "certificate": { "recipient_name": "Ada Lovelace", "status": "minted", … },
  "tenant": { "name": "University of Lagos", "slug": "unilag" },
  "onChain": { "configured": true, "exists": true, "matches": true,
               "issuedAt": 1750000000, "revokedAt": 0 }
}

Try it out

GET /api/public/v1/verify/REE-2026-ABCD1234

Path parameters

certificate_id

Webhooks

Get notified the moment something happens.

X-Reedap-Event:     certificate.issued
X-Reedap-Signature: sha256=<hex hmac of raw body>
X-Reedap-Delivery:  <uuid>
Content-Type:       application/json

Event	When it fires
certificate.issued	After a certificate is minted on-chain successfully.
certificate.revoked	After a certificate is revoked (and the chain record updated).
attempt.submitted	When a student submits an exam attempt.

Verifying signatures

Always verify the signature with a timing-safe comparison before trusting the payload.

import express from "express";
import crypto from "crypto";

const app = express();

app.post("/webhooks/reedap",
  express.raw({ type: "application/json" }), // need RAW body
  (req, res) => {
    const sig = req.header("X-Reedap-Signature") ?? "";
    const expected = "sha256=" + crypto
      .createHmac("sha256", process.env.REEDAP_WEBHOOK_SECRET)
      .update(req.body) // raw Buffer
      .digest("hex");

    if (sig.length !== expected.length ||
        !crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))) {
      return res.status(401).send("invalid signature");
    }

    const { event, data } = JSON.parse(req.body.toString("utf8"));
    if (event === "certificate.issued") {
      // sync to your LMS
    }
    res.status(200).send("ok");
  });

Retries: Deliveries currently fire once and are logged in your dashboard. Respond 2xx within 8 seconds. Long-running work should be queued from your handler.

Errors & rate limits

All errors return JSON:

{ "error": "Missing scope: certificates:write" }

Status	Meaning
200 / 201	Success.
400	Bad input — see error field for details.
401	Missing, malformed, or revoked API key.
403	Key is valid but missing the required scope.
404	Resource not found within your tenant.
429	Rate limited — back off and retry.
5xx	Server error — safe to retry idempotent requests.

Every authenticated request is logged with method, path, status, and timestamp, visible to tenant admins in the dashboard.

SDKs & samples

Official SDKs are on the roadmap. The API is plain REST + JSON, so any HTTP client works. Reach out at developers@reedap.com for integration support, sandbox credentials, or to request an SDK in your stack.

Get an API key

Create scoped keys + webhook endpoints in the console.

Try public verify

Paste any certificate ID to see verification in action.