access-control.role-revoked.provisional
A role was revoked on the access-control manager; the revocation is provisional until the indexer reaches the configured reorg depth.
A role was revoked on the access-control manager; the revocation is provisional until the indexer reaches the configured reorg depth.
Delivery contract
| Field | Value |
|---|---|
| Event type | access-control.role-revoked.provisional |
| Version | 1 |
| Lifecycle state | provisional |
| Counter-signed receipt required | false |
| SDK type | Webhook.AccessControlRoleRevokedProvisionalV1 |
Related references:
idxr_access_control_role_member
When to consume this event
Consume access-control.role-revoked.provisional when your integration needs early notice that an account lost a role on an access-control manager. DALP emits the event from the indexed RoleRevoked log while the observation is still within the configured reorg depth. Use that provisional signal to stage downstream permission changes rather than to close a final audit record.
Store evt_id, request.idempotency_key when present, and the on-chain identifiers from the payload before you update a downstream authorization cache or review queue. Your consumer must handle retries for the same event and any later lifecycle outcome for the same on-chain observation.
The payload identifies the access manager, account, role, sender, owning system, chain, block, and transaction. Treat accountAddress, sender, and roleId as access-control data that can affect authorization decisions in connected systems.
See webhook idempotency and on-chain outcome for retry, replay, payload-shape, and provisional-event handling.
Payload fields
| Field | Type | Meaning |
|---|---|---|
accessManagerAddress | EVM address | Access-control manager contract that emitted the role-revocation log. |
accountAddress | EVM address | Account whose role membership changed. |
blockNumber | String | Block number for the indexed log. |
chainId | Integer | EVM chain identifier for the indexed log. |
roleId | String | Role identifier revoked from the account. |
sender | EVM address | Address recorded by the contract as the revocation sender. |
systemAddress | EVM address | Owning system resolved for the indexed access-control manager. |
transactionHash | 32-byte EVM hash | Transaction that contained the role-revocation log. |
Payload schema
{
"type": "object",
"properties": {
"accessManagerAddress": {
"type": "string",
"pattern": "^0x[a-fA-F0-9]{40}$"
},
"accountAddress": {
"type": "string",
"pattern": "^0x[a-fA-F0-9]{40}$"
},
"blockNumber": {
"type": "string"
},
"chainId": {
"type": "integer",
"exclusiveMinimum": 0,
"maximum": 9007199254740991
},
"roleId": {
"type": "string"
},
"sender": {
"type": "string",
"pattern": "^0x[a-fA-F0-9]{40}$"
},
"systemAddress": {
"type": "string",
"pattern": "^0x[a-fA-F0-9]{40}$"
},
"transactionHash": {
"type": "string",
"pattern": "^0x[a-fA-F0-9]{64}$"
}
},
"required": [
"accessManagerAddress",
"accountAddress",
"blockNumber",
"chainId",
"roleId",
"sender",
"systemAddress",
"transactionHash"
],
"additionalProperties": false
}TypeScript SDK example
import { verifyWebhook, type Webhook } from "@settlemint/dalp-sdk";
const result = verifyWebhook({
rawBody,
headers,
secret: process.env.DALP_WEBHOOK_SECRET!,
});
if (!result.ok) {
throw new Error(`Webhook verification failed: ${result.code}`);
}
if (result.event.type === "access-control.role-revoked.provisional") {
const event: Webhook.Event<"access-control.role-revoked.provisional"> = result.event;
console.log(event.payload);
}curl example
curl -X POST https://consumer.example.com/dalp/webhooks \
-H "content-type: application/json" \
-H "webhook-id: evt_docs_access_control_role_revoked_provisional_001" \
-H "webhook-timestamp: 1778112000" \
-H "webhook-signature: v1,docs-example-signature" \
--data '{"evt_id":"evt_docs_access_control_role_revoked_provisional_001","type":"access-control.role-revoked.provisional","version":1,"lifecycle_state":"provisional","request":{"idempotency_key":"idem_01JZP7R5W8M9N0P1Q2R3S4T5"},"related":{"idxr_access_control_role_member":"idxr_access_control_role_member_example"},"payload":{"accessManagerAddress":"0x1111111111111111111111111111111111111111","accountAddress":"0x2222222222222222222222222222222222222222","blockNumber":"18445201","chainId":537001,"roleId":"0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","sender":"0x3333333333333333333333333333333333333333","systemAddress":"0x4444444444444444444444444444444444444444","transactionHash":"0xcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"}}'Version history
v1: Initial registry entry foraccess-control.role-revoked.provisional.
Deprecation
This event type is not deprecated.
Manifest
The machine-readable AsyncAPI entry is published in the DALP events manifest.