API REFERENCE

POST /api/v1/tamper-report

A plugin calls this endpoint when its local build-stamp verification fails. The call is intentionally quiet: the plugin is already in recovery mode, so CodeOn records the signal without creating a retry storm.

Method: POST
Path: /api/v1/tamper-report

Request body

{
  "plugin_id": "balance-sync",
  "domain": "https://store.example.ge",
  "reported_build_id": "1a8f7353-72ce-4f58-89ef-8e834f0dfc4f",
  "license_key": "SMS-7X4A-9KLM-2NQR-PV5Z",
  "plugin_version": "0.3.18"
}

plugin_id: Required. Must match a known CodeOn plugin id.
domain: Required. Normalized before storage.
reported_build_id: Optional. Stored verbatim for forensics.
license_key: Optional. If valid and known, the matching license is flagged.
plugin_version: Optional. Stored with the report.

Response contract

The endpoint returns HTTP 202 with { "ok": true } for valid reports, invalid schemas, unknown plugin IDs, and most internal insert failures. That is deliberate: tamper reporting is a best-effort signal, not a plugin-facing error channel.

Server behavior

Normalize and store the domain, source IP, user agent, plugin ID, build ID, and plugin version.
Accept reports even when the license key is missing or unknown.
If the license key is valid and known, attach the report to that license.
Flag the license with a tamper reason so admins see it on installation review screens.
Never unblock or re-enable a plugin from this endpoint; recovery happens through license validation and fresh downloads.

Request body

{
  "plugin_id": "balance-sync",
  "domain": "https://store.example.ge",
  "reported_build_id": "1a8f7353-72ce-4f58-89ef-8e834f0dfc4f",
  "license_key": "SMS-7X4A-9KLM-2NQR-PV5Z",
  "plugin_version": "0.3.18"
}

plugin_id: Required. Must match a known CodeOn plugin id.
domain: Required. Normalized before storage.
reported_build_id: Optional. Stored verbatim for forensics.
license_key: Optional. If valid and known, the matching license is flagged.
plugin_version: Optional. Stored with the report.

Response contract

Server behavior

Normalize and store the domain, source IP, user agent, plugin ID, build ID, and plugin version.
Accept reports even when the license key is missing or unknown.
If the license key is valid and known, attach the report to that license.
Flag the license with a tamper reason so admins see it on installation review screens.
Never unblock or re-enable a plugin from this endpoint; recovery happens through license validation and fresh downloads.