# access-control.role-revoked.provisional Source: https://docs.settlemint.com/docs/events/access-control-role-revoked-provisional A role was revoked on the access-control manager; the revocation is provisional until the indexer reaches the configured reorg depth. A role was revoked on the access-control manager; the revocation is provisional until the indexer reaches the configured reorg depth. ## Delivery contract [#delivery-contract] | Field | Value | | ------------------------------- | ----------------------------------------------- | | Event type | `access-control.role-revoked.provisional` | | Version | `1` | | Lifecycle state | `provisional` | | Counter-signed receipt required | `false` | | SDK type | `Webhook.AccessControlRoleRevokedProvisionalV1` | Related references: * `idxr_access_control_role_member` ## When to consume this event [#when-to-consume-this-event] Consume `access-control.role-revoked.provisional` when your integration needs early notice that an account lost a role on an access-control manager. DALP emits the event from the indexed `RoleRevoked` log while the observation is still within the configured reorg depth. Use that provisional signal to stage downstream permission changes rather than to close a final audit record. Store `evt_id`, `request.idempotency_key` when present, and the on-chain identifiers from the payload before you update a downstream authorization cache or review queue. Your consumer must handle retries for the same event and any later lifecycle outcome for the same on-chain observation. The payload identifies the access manager, account, role, sender, owning system, chain, block, and transaction. Treat `accountAddress`, `sender`, and `roleId` as access-control data that can affect authorization decisions in connected systems. See [webhook idempotency and on-chain outcome](/docs/events/idempotency-and-on-chain-outcome) for retry, replay, payload-shape, and provisional-event handling. ## Payload fields [#payload-fields] | Field | Type | Meaning | | ---------------------- | ---------------- | --------------------------------------------------------------------- | | `accessManagerAddress` | EVM address | Access-control manager contract that emitted the role-revocation log. | | `accountAddress` | EVM address | Account whose role membership changed. | | `blockNumber` | String | Block number for the indexed log. | | `chainId` | Integer | EVM chain identifier for the indexed log. | | `roleId` | String | Role identifier revoked from the account. | | `sender` | EVM address | Address recorded by the contract as the revocation sender. | | `systemAddress` | EVM address | Owning system resolved for the indexed access-control manager. | | `transactionHash` | 32-byte EVM hash | Transaction that contained the role-revocation log. | ## Payload schema [#payload-schema] ```json { "type": "object", "properties": { "accessManagerAddress": { "type": "string", "pattern": "^0x[a-fA-F0-9]{40}$" }, "accountAddress": { "type": "string", "pattern": "^0x[a-fA-F0-9]{40}$" }, "blockNumber": { "type": "string" }, "chainId": { "type": "integer", "exclusiveMinimum": 0, "maximum": 9007199254740991 }, "roleId": { "type": "string" }, "sender": { "type": "string", "pattern": "^0x[a-fA-F0-9]{40}$" }, "systemAddress": { "type": "string", "pattern": "^0x[a-fA-F0-9]{40}$" }, "transactionHash": { "type": "string", "pattern": "^0x[a-fA-F0-9]{64}$" } }, "required": [ "accessManagerAddress", "accountAddress", "blockNumber", "chainId", "roleId", "sender", "systemAddress", "transactionHash" ], "additionalProperties": false } ``` ## TypeScript SDK example [#typescript-sdk-example] ```typescript import { verifyWebhook, type Webhook } from "@settlemint/dalp-sdk"; const result = verifyWebhook({ rawBody, headers, secret: process.env.DALP_WEBHOOK_SECRET!, }); if (!result.ok) { throw new Error(`Webhook verification failed: ${result.code}`); } if (result.event.type === "access-control.role-revoked.provisional") { const event: Webhook.Event<"access-control.role-revoked.provisional"> = result.event; console.log(event.payload); } ``` ## curl example [#curl-example] ```bash curl -X POST https://consumer.example.com/dalp/webhooks \ -H "content-type: application/json" \ -H "webhook-id: evt_docs_access_control_role_revoked_provisional_001" \ -H "webhook-timestamp: 1778112000" \ -H "webhook-signature: v1,docs-example-signature" \ --data '{"evt_id":"evt_docs_access_control_role_revoked_provisional_001","type":"access-control.role-revoked.provisional","version":1,"lifecycle_state":"provisional","request":{"idempotency_key":"idem_01JZP7R5W8M9N0P1Q2R3S4T5"},"related":{"idxr_access_control_role_member":"idxr_access_control_role_member_example"},"payload":{"accessManagerAddress":"0x1111111111111111111111111111111111111111","accountAddress":"0x2222222222222222222222222222222222222222","blockNumber":"18445201","chainId":537001,"roleId":"0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa","sender":"0x3333333333333333333333333333333333333333","systemAddress":"0x4444444444444444444444444444444444444444","transactionHash":"0xcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"}}' ``` ## Version history [#version-history] * `v1`: Initial registry entry for `access-control.role-revoked.provisional`. ## Deprecation [#deprecation] This event type is not deprecated. ## Manifest [#manifest] The machine-readable AsyncAPI entry is published in the [DALP events manifest](/.well-known/dalp-events.json).