Managing Webhooks
Webhooks allow Auris to notify your external systems when authentication events occur — such as user creation, login, password changes, role assignments, and more. Instead of polling the Auris API for changes, your server receives real-time HTTP POST notifications with event details.
Access webhook management at Console → Settings → Webhooks.
Webhook Overview
The Webhooks page shows all configured webhook endpoints for your tenant:
| Column | Description |
|---|---|
| Name | A descriptive name for the webhook |
| URL | The endpoint Auris will send events to |
| Events | Number of event types subscribed |
| Status | Active (green) or Inactive (gray) |
| Last Used | Timestamp of the most recent delivery |
| Error | Most recent error message (if the last delivery failed) |
Creating a Webhook
Click Create Webhook
From the Webhooks list page, click the Create Webhook button.
Enter webhook details
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive name (for example, “Slack Notifications”, “Analytics Pipeline”, “CRM Sync”) |
| URL | Yes | The HTTPS endpoint that will receive webhook payloads. Must be a valid URL starting with https://. |
| Description | No | Additional context about what this webhook is used for |
Select events
Choose which events this webhook should receive. Events are organized into categories:
| Category | Example Events |
|---|---|
| Authentication | user.login, user.logout, user.signup, user.password_changed |
| Users | user.created, user.updated, user.deleted, user.email_verified |
| Roles | role.created, role.updated, role.deleted, role.assigned, role.unassigned |
| Applications | application.created, application.updated, application.deleted |
| Organizations | organization.created, member.added, member.removed, invitation.sent |
| MFA | mfa.enabled, mfa.disabled, mfa.challenge_completed |
| Sessions | session.created, session.revoked |
| Webhooks | webhook.created, webhook.test |
Click individual events to select them, or use the Select All / Deselect All controls within each category.
Start by subscribing to only the events you need. Each event generates a delivery attempt, and excessive subscriptions can create unnecessary load on your receiving endpoint. You can always add more events later.
Save
Click Save. The webhook is created in an active state by default.
Webhook Secret
Every webhook is assigned a signing secret upon creation. This secret is used to generate HMAC-SHA256 signatures for each delivery, allowing your server to verify that incoming webhooks genuinely originate from Auris.
Viewing the Secret
The signing secret is displayed once immediately after webhook creation in a confirmation dialog. It is prefixed with whsec_ for easy identification:
whsec_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6Copy the secret and store it securely in your application’s environment variables. The secret is not shown again after you dismiss the dialog.
If you lose the webhook secret, you cannot retrieve it. You must rotate the secret to generate a new one. See Rotating Secrets.
Verifying Webhook Signatures
Each webhook delivery includes two headers for signature verification:
| Header | Description |
|---|---|
X-Webhook-Signature | HMAC-SHA256 signature of the request body using the webhook secret |
X-Webhook-Timestamp | Unix timestamp when the delivery was sent (for replay protection) |
Verification steps on your server:
- Read the
X-Webhook-Timestampheader - Verify the timestamp is within an acceptable window (for example, 5 minutes) to prevent replay attacks
- Compute
HMAC-SHA256(timestamp + "." + requestBody, webhookSecret) - Compare the computed signature with the
X-Webhook-Signatureheader
Example verification in Node.js:
import { createHmac, timingSafeEqual } from 'crypto'
function verifyWebhook(
body: string,
signature: string,
timestamp: string,
secret: string
): boolean {
// Check timestamp freshness (5-minute window)
const now = Math.floor(Date.now() / 1000)
if (Math.abs(now - parseInt(timestamp)) > 300) {
return false // Too old or too far in the future
}
// Compute expected signature
const payload = `${timestamp}.${body}`
const expected = createHmac('sha256', secret)
.update(payload)
.digest('hex')
// Constant-time comparison to prevent timing attacks
return timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
)
}Testing Webhooks
Before deploying to production, verify that your endpoint correctly receives and processes webhook payloads.
Send Test Event
On the webhook detail page, click the Test button. Auris sends a test event to the configured URL with a sample payload:
{
"event": "webhook.test",
"timestamp": "2025-02-10T08:15:00Z",
"data": {
"message": "This is a test webhook delivery from Auris."
}
}The test delivery appears in the Deliveries log, so you can verify the response status code and see any error messages.
Using Webhook Testing Tools
For development, you can use a webhook testing service like webhook.site or ngrok to receive and inspect webhook payloads:
- Create a temporary URL using your testing tool
- Set that URL as the webhook endpoint in the Console
- Trigger events (for example, create a test user)
- Inspect the received payload in the testing tool
- Update the webhook URL to your production endpoint when ready
Viewing Deliveries
Each webhook endpoint has a delivery log showing every event sent to it.
Access the delivery log by clicking any webhook in the list to open the detail page, then scrolling to the Deliveries section.
| Column | Description |
|---|---|
| Event | The event type (for example, user.created) |
| Status | HTTP status code returned by your endpoint |
| Timestamp | When the delivery was sent |
| Duration | Round-trip time in milliseconds |
| Attempts | Number of delivery attempts (1 for success, 2-3 for retries) |
Delivery Statuses
| Status Code | Meaning |
|---|---|
| 2xx (200, 201, 204) | Success — your endpoint acknowledged the delivery |
| 4xx | Client error — your endpoint rejected the payload (will not be retried) |
| 5xx | Server error — your endpoint had a temporary failure (will be retried) |
| Timeout | Your endpoint did not respond within 10 seconds |
| Network Error | DNS resolution failed or connection was refused |
Click any delivery row to see the full details:
- Request payload: The JSON body sent to your endpoint
- Response body: The response returned by your endpoint (first 1 KB)
- Response headers: HTTP headers returned
- Error message: If the delivery failed, the specific error
Retrying Failed Deliveries
Auris automatically retries failed deliveries (5xx, timeout, network errors) with exponential backoff:
| Attempt | Delay After Failure |
|---|---|
| 1st retry | 30 seconds |
| 2nd retry | 2 minutes |
| 3rd retry | 10 minutes |
After 3 failed attempts, the delivery is marked as failed and no further automatic retries occur.
Manual Retry
To manually retry a failed delivery:
- Open the webhook detail page
- Find the failed delivery in the log
- Click the Retry button on that delivery row
The manual retry sends the exact same payload to the current webhook URL. If you have changed the URL since the original delivery, the retry goes to the new URL.
If a webhook consistently fails, Auris displays an error badge on the webhook in the list view. Check the delivery log for error details. Common causes: endpoint is down, SSL certificate expired, endpoint returns 401 (authentication required), or response timeout (endpoint is too slow).
Rotating Secrets
If you suspect a webhook secret has been compromised, or if you need to rotate secrets as part of a security policy, you can generate a new secret:
Open the webhook detail page
Click the webhook in the list to open its detail view.
Click Rotate Secret
Click the Rotate Secret button (or find it in the actions dropdown menu).
Confirm rotation
A confirmation dialog appears warning that the old secret will be immediately invalidated. Click Rotate to confirm.
Copy the new secret
The new whsec_ secret is displayed once. Copy it and update your application’s environment variables.
Important: Rotation is immediate. As soon as you rotate, the old secret is invalid and all subsequent deliveries are signed with the new secret. If your endpoint is still configured with the old secret, it will reject deliveries until you update it. Plan for a brief window of failed deliveries during the rotation.
To minimize disruption:
- Update your endpoint code to accept signatures from either the old or new secret
- Rotate the secret in the Console
- After confirming deliveries succeed with the new secret, remove the old secret from your endpoint code
Enabling and Disabling Webhooks
Each webhook has an Active toggle on its detail page. When disabled:
- No events are delivered to the endpoint
- The webhook configuration is preserved (URL, events, secret)
- No deliveries appear in the log while disabled
- Re-enabling resumes deliveries for new events (events that occurred while disabled are not replayed)
Use this to temporarily pause deliveries during endpoint maintenance without losing the webhook configuration.
Event Categories Overview
Auris supports over 50 webhook event types, organized into the following categories:
| Category | Events | Description |
|---|---|---|
| Authentication | 8 events | Login, logout, signup, password changes, MFA events |
| Users | 6 events | User CRUD, email verification, metadata updates |
| Roles | 5 events | Role CRUD, role assignment/unassignment |
| Applications | 4 events | Application CRUD, secret rotation |
| Organizations | 6 events | Org CRUD, member management, invitations |
| Sessions | 3 events | Session creation, refresh, revocation |
| Tokens | 3 events | Token issuance, refresh, revocation |
| FGA | 4 events | Model activation, tuple changes |
| Webhooks | 2 events | Webhook creation, test events |
| SCIM | 4 events | SCIM provisioning sync events |
Each event payload follows a consistent structure:
{
"event": "user.created",
"timestamp": "2025-02-10T08:15:00Z",
"tenantId": "acme-corp",
"data": {
// Event-specific payload
}
}The data field varies per event type and contains the relevant entity data at the time of the event.
Related Guides
- Webhook Integration — Developer Guide — Building a webhook consumer with signature verification
- Actions Engine — Alternative for in-flow logic (runs during auth, not after)
- Audit Logs — View all authentication events with full audit trails