Skip to Content
Admin ConsoleManaging Webhooks

Managing Webhooks

Webhooks allow Auris to notify your external systems when authentication events occur — such as user creation, login, password changes, role assignments, and more. Instead of polling the Auris API for changes, your server receives real-time HTTP POST notifications with event details.

Access webhook management at ConsoleSettingsWebhooks.

Webhook Overview

The Webhooks page shows all configured webhook endpoints for your tenant:

ColumnDescription
NameA descriptive name for the webhook
URLThe endpoint Auris will send events to
EventsNumber of event types subscribed
StatusActive (green) or Inactive (gray)
Last UsedTimestamp of the most recent delivery
ErrorMost recent error message (if the last delivery failed)

Creating a Webhook

Click Create Webhook

From the Webhooks list page, click the Create Webhook button.

Enter webhook details

FieldRequiredDescription
NameYesA descriptive name (for example, “Slack Notifications”, “Analytics Pipeline”, “CRM Sync”)
URLYesThe HTTPS endpoint that will receive webhook payloads. Must be a valid URL starting with https://.
DescriptionNoAdditional context about what this webhook is used for

Select events

Choose which events this webhook should receive. Events are organized into categories:

CategoryExample Events
Authenticationuser.login, user.logout, user.signup, user.password_changed
Usersuser.created, user.updated, user.deleted, user.email_verified
Rolesrole.created, role.updated, role.deleted, role.assigned, role.unassigned
Applicationsapplication.created, application.updated, application.deleted
Organizationsorganization.created, member.added, member.removed, invitation.sent
MFAmfa.enabled, mfa.disabled, mfa.challenge_completed
Sessionssession.created, session.revoked
Webhookswebhook.created, webhook.test

Click individual events to select them, or use the Select All / Deselect All controls within each category.

Start by subscribing to only the events you need. Each event generates a delivery attempt, and excessive subscriptions can create unnecessary load on your receiving endpoint. You can always add more events later.

Save

Click Save. The webhook is created in an active state by default.

Webhook Secret

Every webhook is assigned a signing secret upon creation. This secret is used to generate HMAC-SHA256 signatures for each delivery, allowing your server to verify that incoming webhooks genuinely originate from Auris.

Viewing the Secret

The signing secret is displayed once immediately after webhook creation in a confirmation dialog. It is prefixed with whsec_ for easy identification:

whsec_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Copy the secret and store it securely in your application’s environment variables. The secret is not shown again after you dismiss the dialog.

If you lose the webhook secret, you cannot retrieve it. You must rotate the secret to generate a new one. See Rotating Secrets.

Verifying Webhook Signatures

Each webhook delivery includes two headers for signature verification:

HeaderDescription
X-Webhook-SignatureHMAC-SHA256 signature of the request body using the webhook secret
X-Webhook-TimestampUnix timestamp when the delivery was sent (for replay protection)

Verification steps on your server:

  1. Read the X-Webhook-Timestamp header
  2. Verify the timestamp is within an acceptable window (for example, 5 minutes) to prevent replay attacks
  3. Compute HMAC-SHA256(timestamp + "." + requestBody, webhookSecret)
  4. Compare the computed signature with the X-Webhook-Signature header

Example verification in Node.js:

import { createHmac, timingSafeEqual } from 'crypto' function verifyWebhook( body: string, signature: string, timestamp: string, secret: string ): boolean { // Check timestamp freshness (5-minute window) const now = Math.floor(Date.now() / 1000) if (Math.abs(now - parseInt(timestamp)) > 300) { return false // Too old or too far in the future } // Compute expected signature const payload = `${timestamp}.${body}` const expected = createHmac('sha256', secret) .update(payload) .digest('hex') // Constant-time comparison to prevent timing attacks return timingSafeEqual( Buffer.from(signature), Buffer.from(expected) ) }

Testing Webhooks

Before deploying to production, verify that your endpoint correctly receives and processes webhook payloads.

Send Test Event

On the webhook detail page, click the Test button. Auris sends a test event to the configured URL with a sample payload:

{ "event": "webhook.test", "timestamp": "2025-02-10T08:15:00Z", "data": { "message": "This is a test webhook delivery from Auris." } }

The test delivery appears in the Deliveries log, so you can verify the response status code and see any error messages.

Using Webhook Testing Tools

For development, you can use a webhook testing service like webhook.site  or ngrok  to receive and inspect webhook payloads:

  1. Create a temporary URL using your testing tool
  2. Set that URL as the webhook endpoint in the Console
  3. Trigger events (for example, create a test user)
  4. Inspect the received payload in the testing tool
  5. Update the webhook URL to your production endpoint when ready

Viewing Deliveries

Each webhook endpoint has a delivery log showing every event sent to it.

Access the delivery log by clicking any webhook in the list to open the detail page, then scrolling to the Deliveries section.

ColumnDescription
EventThe event type (for example, user.created)
StatusHTTP status code returned by your endpoint
TimestampWhen the delivery was sent
DurationRound-trip time in milliseconds
AttemptsNumber of delivery attempts (1 for success, 2-3 for retries)

Delivery Statuses

Status CodeMeaning
2xx (200, 201, 204)Success — your endpoint acknowledged the delivery
4xxClient error — your endpoint rejected the payload (will not be retried)
5xxServer error — your endpoint had a temporary failure (will be retried)
TimeoutYour endpoint did not respond within 10 seconds
Network ErrorDNS resolution failed or connection was refused

Click any delivery row to see the full details:

  • Request payload: The JSON body sent to your endpoint
  • Response body: The response returned by your endpoint (first 1 KB)
  • Response headers: HTTP headers returned
  • Error message: If the delivery failed, the specific error

Retrying Failed Deliveries

Auris automatically retries failed deliveries (5xx, timeout, network errors) with exponential backoff:

AttemptDelay After Failure
1st retry30 seconds
2nd retry2 minutes
3rd retry10 minutes

After 3 failed attempts, the delivery is marked as failed and no further automatic retries occur.

Manual Retry

To manually retry a failed delivery:

  1. Open the webhook detail page
  2. Find the failed delivery in the log
  3. Click the Retry button on that delivery row

The manual retry sends the exact same payload to the current webhook URL. If you have changed the URL since the original delivery, the retry goes to the new URL.

If a webhook consistently fails, Auris displays an error badge on the webhook in the list view. Check the delivery log for error details. Common causes: endpoint is down, SSL certificate expired, endpoint returns 401 (authentication required), or response timeout (endpoint is too slow).

Rotating Secrets

If you suspect a webhook secret has been compromised, or if you need to rotate secrets as part of a security policy, you can generate a new secret:

Open the webhook detail page

Click the webhook in the list to open its detail view.

Click Rotate Secret

Click the Rotate Secret button (or find it in the actions dropdown menu).

Confirm rotation

A confirmation dialog appears warning that the old secret will be immediately invalidated. Click Rotate to confirm.

Copy the new secret

The new whsec_ secret is displayed once. Copy it and update your application’s environment variables.

Important: Rotation is immediate. As soon as you rotate, the old secret is invalid and all subsequent deliveries are signed with the new secret. If your endpoint is still configured with the old secret, it will reject deliveries until you update it. Plan for a brief window of failed deliveries during the rotation.

To minimize disruption:

  1. Update your endpoint code to accept signatures from either the old or new secret
  2. Rotate the secret in the Console
  3. After confirming deliveries succeed with the new secret, remove the old secret from your endpoint code

Enabling and Disabling Webhooks

Each webhook has an Active toggle on its detail page. When disabled:

  • No events are delivered to the endpoint
  • The webhook configuration is preserved (URL, events, secret)
  • No deliveries appear in the log while disabled
  • Re-enabling resumes deliveries for new events (events that occurred while disabled are not replayed)

Use this to temporarily pause deliveries during endpoint maintenance without losing the webhook configuration.

Event Categories Overview

Auris supports over 50 webhook event types, organized into the following categories:

CategoryEventsDescription
Authentication8 eventsLogin, logout, signup, password changes, MFA events
Users6 eventsUser CRUD, email verification, metadata updates
Roles5 eventsRole CRUD, role assignment/unassignment
Applications4 eventsApplication CRUD, secret rotation
Organizations6 eventsOrg CRUD, member management, invitations
Sessions3 eventsSession creation, refresh, revocation
Tokens3 eventsToken issuance, refresh, revocation
FGA4 eventsModel activation, tuple changes
Webhooks2 eventsWebhook creation, test events
SCIM4 eventsSCIM provisioning sync events

Each event payload follows a consistent structure:

{ "event": "user.created", "timestamp": "2025-02-10T08:15:00Z", "tenantId": "acme-corp", "data": { // Event-specific payload } }

The data field varies per event type and contains the relevant entity data at the time of the event.