Is this Webhook sending purchase details to handle purchases from a Third Party Service secure?

Is this Webhook sending purchase details to handle purchases from a Third Party Service secure?

I'm developing a mobile application for a client that sells digital courses on a service called Teachable that hosts their website and handles the purchase process for them. My client wants to keep using this service for the purchase process and when a user bought a course, he should have access to it on my app.

Now I did some research on Teachable. To my knowledge, it does not a provide a API or some sort of oAuth provider. However it does offer webhooks.

I though about a way to implement this behaviour but I have some concerns about my idea, so I would like to hear opinions from more experienced developers in the security field. My idea goes like this:

1. Let's assume Alice buys a course called "Awesome Course 1".
2. The Teachable webhooks sends me a JSON object to my server that includes the following properties: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
3. In my database, I create a random ID and add this JSON object to it. So I have something like this: RandomKey987: { email: Alice@gmail.com, courseName: Awesome Course 1, courseId: 123}
4. I send Alice an email that contains the ID RandomKey987.
5. Alice goes to my app, creates an account/logs into her account (that is completely independent of the Teachable Mail/Account she used to buy the course), and enters the ID RandomKey987 in a form, to unlock her course in my app.
6. On my server, I create a database entry under Alice's field to mark that she bought the course associated with the database entry RandomKey987, which in this case is the course "Awesome Course 1".
7. I delete the database entry RandomKey987, so no one can unlock this course a second time.

Now my concerns are:

1. An adversary could just send a similar JSON object in Step 2 that doesn't come from Teachable. The attacker would need to know the HTTP endpoint of my webhook and a valid courseId, and I'm not sure if I can keep these private. Teachable does not provide an API where I could make a request, to validate that the JSON object indeed refers to a valid purchase. Would an imaginable solution be to just keep the HTTP endpoint and the courseIds private?

2. It won't be possible to guess the ID for a purchase in my database, but could there be another way to get the key I send via email? Assuming no other person than Alice can read this email, this should not be a problem, right?

What's your opinion on this? Did I overlook an important security aspect? Is there a better way to handle this problem?