Webhooks
Receive real-time notifications about events in your OAuth42 account. Build responsive applications that react to authentication events instantly.
What are Webhooks?
Webhooks allow you to build or set up integrations that subscribe to certain events in OAuth42. When one of those events is triggered, OAuth42 sends an HTTP POST payload to the webhook's configured URL.
Webhooks can be used to update an external tracker, trigger CI/CD pipelines, update a backup mirror, or even deploy to your production server.
Setting Up Webhooks
1. Create a Webhook Endpoint
First, create an HTTPS endpoint in your application that can receive POST requests:
// Express.js example
app.post('/webhooks/oauth42', async (req, res) => {
const signature = req.headers['x-oauth42-signature'];
const payload = req.body;
// Verify webhook signature
if (!verifySignature(payload, signature)) {
return res.status(401).send('Invalid signature');
}
// Process the event
switch (payload.event_type) {
case 'user.created':
await handleUserCreated(payload.data);
break;
case 'user.login':
await handleUserLogin(payload.data);
break;
// ... handle other events
}
res.status(200).send('OK');
});2. Register Your Webhook
In your OAuth42 dashboard:
- Navigate to Settings → Webhooks
- Click "Add Webhook"
- Enter your endpoint URL (must be HTTPS)
- Select the events you want to subscribe to
- Save your webhook configuration
3. Verify Signatures
OAuth42 signs each webhook payload with a secret key. Verify the signature to ensure the webhook came from OAuth42:
import crypto from 'crypto';
function verifySignature(payload, signature) {
const secret = process.env.OAUTH42_WEBHOOK_SECRET;
const computedSignature = crypto
.createHmac('sha256', secret)
.update(JSON.stringify(payload))
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(computedSignature)
);
}Available Events
User Events
user.created- A new user is registereduser.updated- User profile is updateduser.deleted- User account is deleteduser.login- User successfully logs inuser.logout- User logs outuser.email_verified- User verifies their email
Security Events
mfa.enabled- User enables MFAmfa.disabled- User disables MFApassword.changed- User changes passwordpassword.reset- User resets passwordlogin.failed- Failed login attemptaccount.locked- Account locked due to suspicious activity
Session Events
session.created- New session createdsession.expired- Session expiredsession.revoked- Session manually revoked
OAuth Events
token.issued- OAuth token issuedtoken.refreshed- OAuth token refreshedtoken.revoked- OAuth token revokedclient.created- New OAuth client createdclient.updated- OAuth client updatedclient.deleted- OAuth client deleted
Payload Examples
{
"event_id": "evt_1234567890abcdef",
"event_type": "user.created",
"timestamp": "2025-01-15T10:30:00Z",
"api_version": "2024-01-01",
"data": {
"user_id": "usr_abcd1234",
"email": "[email protected]",
"username": "johndoe",
"email_verified": false,
"mfa_enabled": false,
"created_at": "2025-01-15T10:30:00Z"
}
}Best Practices
✓ Respond Quickly
Return a 200 OK response as quickly as possible. Process the webhook asynchronously to avoid timeouts.
✓ Verify Signatures
Always verify the webhook signature to ensure the payload came from OAuth42 and hasn't been tampered with.
✓ Handle Duplicates
Webhooks may be delivered more than once. Use the event_id to deduplicate events.
✓ Use HTTPS
Webhook endpoints must use HTTPS to ensure secure transmission of sensitive data.
✓ Implement Retry Logic
OAuth42 will retry failed webhook deliveries up to 3 times with exponential backoff. Make sure your endpoint is idempotent.
Testing Webhooks
You can test your webhook endpoint using the OAuth42 dashboard:
- Go to Settings → Webhooks
- Select your webhook configuration
- Click "Send Test Event"
- Choose an event type and send
- Verify your endpoint received and processed the test event
For local development, use tools like ngrok to expose your local server to the internet temporarily.