Webhooks
Authgear can deliver webhook events to your server when important events such as new user signup happen.
Authgear uses webhooks to notify your application server when events happen in your Authgear project. To use webhooks you will need to:
Create a webhook handler endpoint in your application server.
Configure Authgear to send events to your webhook endpoint.
There are two kinds of events, Blocking and Non-blocking events.
Blocking event is triggered before the operation is performed. The operation can be aborted by your webhook endpoint response.
Non-blocking event is triggered after the operation is performed.
Configure Authgear to send events to your webhook endpoint
In the portal, go to Settings > Webhooks.
Add your webhook endpoints in Blocking Events and Non-Blocking Events, depending on which event you want to listen to.
Click Save.
Webhook Delivery
Webhook handlers must be in HTTPS. This ensures the integrity and confidentiality of the delivery.
The webhook handler endpoint must be an absolute URL. The webhook events are sent to the webhook handler endpoint via POST
requests. The webhook handlers must return a status code within the 2xx
range. Other status codes are considered as a failed delivery.
Each event can have multiple handlers. The order of delivery is unspecified for non-blocking events. Blocking events are delivered in the source order as in the configuration.
Blocking Events
Blocking events are delivered to webhook handlers synchronously, right before committing changes to the database.
Webhook handler must respond with a JSON body to indicate whether the operation should continue.
To let the operation proceed, respond with is_allowed
being set to true
.
To forbid the operation, respond with is_allowed
being set to false
and a non-empty title
and reason
.
If any handler fails the operation, the operation is halted. The title
and reason
will be shown to the end-user as an error message.
Each blocking event webhook handler must respond within 5 seconds. And all blocking handlers in total should take less than 10 seconds to complete. Otherwise, it would be considered a failed delivery.
Webhook Blocking Event Mutations
The webhook handler can optionally mutate the object in the payload. The webhook handlers should specify the mutations in their responses. If the operation is failed, i.e. "is_allowed": false
, the mutation will be discarded.
Given the event
The webhook handler can mutate the user with the following response.
Objects not appearing in mutations
are left intact. The mutated objects will NOT be merged with the original ones.
The mutated payloads are NOT validated and are propagated along the handler chain. The payload will only be validated after traversing the handler chain.
Mutations do NOT generate extra events to avoid infinite loops.
Currently, only the standard_attributes
of the user object are mutable.
Non-blocking Events
Non-blocking events are delivered to webhook handlers asynchronously after the operation is performed (i.e. committed into the database).
The webhook handlers must respond with a status code within the 2xx
range within 60 seconds. Otherwise, it would be considered a failed delivery.
The response body of a non-blocking event webhook handler is ignored.
Webhook Request Body
All webhook events have the following shape:
id
: The ID of the event.seq
: A monotonically increasing signed 64-bit integer.type
: The type of webhook event.payload
: The payload of the webhook event, varies with type.context
: The context of the webhook event.
Webhook Event Context
timestamp
: signed 64-bit UNIX timestamp of when this event is generated. Retried deliveries do not affect this field.user_id
: The ID of the user associated with the event. It may be absent. For example, the user has not been authenticated yet.preferred_languages
: User preferred languages, which are inferred from the request. Return values of theui_locales
query if it is provided in the Auth UI, otherwise return languages in theAccept-Language
request header.language
: User locale which is derived based on user's preferred languages and app's languages config.triggered_by
: Triggered by indicates who triggered the events, values can beuser
oradmin_api
.user
means it is triggered by user in auth ui.admin_api
means it is triggered by admin api or admin portal.
Webhook Event List
Blocking Events
Non-blocking Events
user.pre_create
Occurs right before the user creation. User can be created by user signup, user signup as an anonymous user, or created by the admin via the Portal or API. The operation can be aborted by providing a specific response in your webhook, details see Webhook Blocking Events.
user.profile.pre_update
Occurs right before the update of the user profile.
user.pre_schedule_deletion
Occurs right before account deletion is scheduled.
user.created
Occurs after a new user is created. User can be created by user signup, user signup as an anonymous user, or created by the admin via the Portal or API.
user.profile.updated
Occurs when the user profile is updated.
user.authenticated
Occurs after the user logged in.
user.disabled
Occurs when the user was disabled.
user.reenabled
Occurs when the user was re-enabled.
user.anonymous.promoted
Occurs whenever an anonymous user is promoted to a normal user.
user.deletion_scheduled
Occurs when an account deletion was scheduled.
user.deletion_unscheduled
Occurs when an account deletion was unscheduled.
user.deleted
Occurs when the user was deleted.
identity.email.added
Occurs when a new email is added to an existing user. Email can be added by the user in the setting page, added by the admin through the admin API or Portal.
identity.email.removed
Occurs when an email address is removed from an existing user. Email can be removed by the user in the setting page, removed by admin through admin API or Portal.
identity.email.updated
Occurs when an email address is updated. Email can be updated by the user on the setting page.
identity.phone.added
Occurs when a new phone number is added to an existing user. Phone numbers can be added by the user in the setting page, added by admin through admin API or Portal.
identity.phone.removed
Occurs when a phone number is removed from an existing user. Phone numbers can be removed by the user on the setting page, removed by admin through admin API or Portal.
identity.phone.updated
Occurs when a phone number is updated. Phone numbers can be updated by the user on the setting page.
identity.username.added
Occurs when a new username is added to an existing user. Username can be added by the user in setting page, added by admin through Admin API or Portal.
identity.username.removed
Occurs when the username is removed from an existing user. The username can be removed by the user on the setting page, removed by admin through admin API or Portal.
identity.username.updated
Occurs when the username is updated. The username can be updated by the user on the setting page.
identity.oauth.connected
Occurs when a user has connected to a new OAuth provider.
identity.oauth.disconnected
Occurs when a user is disconnected from an OAuth provider. It can be done by the user disconnecting their OAuth provider in the setting page, or the admin removing the OAuth identity through admin API or Portal.
Check the webhook signatures
Each webhook event request is signed with a secret key shared between Authgear and the webhook handler. The developer must validate the signature and reject requests with invalid signatures to ensure the request originates from Authgear.
The signature is calculated as the hex encoded value of HMAC-SHA256 of the request body and included in the header x-authgear-body-signature
.
To obtain the secret key, visit the portal and go to Advanced -> Webhooks -> Webhook Signature. You may need to reauthenticate yourselves before you can reveal the secret key.
Here is the sample code of how to calculate the signature and verify it.
Payload Reference
The payloads in the webhook events may contain different objects. You can refer to the below for their attributes.
User Object
user
in payload have the following attributes.
Last updated