Webhooks API
Configure webhooks to receive real-time event notifications when things happen in your application. YorAuth sends an HTTP POST to your endpoint when subscribed events occur.
Authentication
All endpoints require a valid JWT access token with the webhooks:manage permission:
Authorization: Bearer {access_token}
Supported Events
| Event | Triggered when |
|---|---|
user.created | A new user registers |
user.login | A user logs in successfully |
user.updated | A user's profile is updated |
user.deleted | A user account is deleted |
role.assigned | A role is assigned to a user |
role.removed | A role is removed from a user |
role.created | A new role is created |
role.updated | A role is updated |
role.deleted | A role is deleted |
permission.granted | A permission is added to a role |
permission.revoked | A permission is removed from a role |
connection.created | An OAuth connection is created |
connection.refreshed | An OAuth connection token is refreshed |
connection.failed | An OAuth connection fails |
connection.revoked | An OAuth connection is revoked |
consent.granted | A user grants OIDC consent |
mfa.enabled | MFA is enabled for a user |
mfa.disabled | MFA is disabled for a user |
policy.created | An ABAC policy is created |
policy.updated | An ABAC policy is updated |
policy.deleted | An ABAC policy is deleted |
attribute.set | A user attribute is set |
attribute.deleted | A user attribute is deleted |
Webhook Signatures
Each webhook delivery includes a signature header so you can verify the payload came from YorAuth:
X-YorAuth-Signature: sha256=abc123...
X-YorAuth-Event: user.created
X-YorAuth-Delivery-Id: 7c9e6679-7425-40de-944b-e07fc1f90ae7
X-YorAuth-Timestamp: 1708864800
To verify: compute sha256 HMAC of the raw JSON payload body using your webhook secret. The result should match the value after sha256= in the signature header.
const crypto = require('crypto');
const sig = crypto
.createHmac('sha256', webhookSecret)
.update(rawBody)
.digest('hex');
const isValid = sig === receivedSignature.replace('sha256=', '');
Retry Policy
Failed deliveries are retried 3 times with exponential backoff: 30 seconds, 5 minutes, 30 minutes. A delivery is considered failed if your endpoint returns a non-2xx status or does not respond within 30 seconds.
List Webhooks
GET /api/v1/applications/{applicationId}/webhooks
List all webhook configurations for the application.
Response
200 OK
{
"data": [
{
"id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
"url": "https://example.com/webhooks/yorauth",
"events": ["user.created", "user.login"],
"is_active": true,
"created_at": "2026-02-25T12:00:00Z",
"updated_at": "2026-02-25T12:00:00Z"
}
]
}
Create Webhook
POST /api/v1/applications/{applicationId}/webhooks
Create a new webhook configuration. The signing secret is returned only on creation and cannot be retrieved afterwards.
The secret field in the creation response is shown only once. Store it securely immediately — it cannot be retrieved again.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
url | string (URL) | Yes | HTTPS endpoint to receive events. Private IPs and localhost are rejected. Max 2048 characters. |
events | array of strings | Yes | One or more events to subscribe to. Must be from the supported events list. |
Response
201 Created
{
"data": {
"id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
"url": "https://example.com/webhooks/yorauth",
"secret": "wh_live_abc123...",
"events": ["user.created", "user.login"],
"is_active": true,
"created_at": "2026-02-25T12:00:00Z"
}
}
The response is sent with Cache-Control: no-store to prevent proxy caching of the secret.
Error Responses
| Status | Code | Description |
|---|---|---|
| 400 | VALIDATION_INVALID_FORMAT | URL is not valid |
| 400 | — | URL targets a private IP or localhost (SSRF protection) |
| 400 | — | One or more events are not in the supported events list |
Get Webhook
GET /api/v1/applications/{applicationId}/webhooks/{webhookId}
Retrieve a single webhook configuration. The secret is not included in this response.
Response
200 OK
{
"data": {
"id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
"url": "https://example.com/webhooks/yorauth",
"events": ["user.created", "user.login"],
"is_active": true,
"created_at": "2026-02-25T12:00:00Z",
"updated_at": "2026-02-25T12:00:00Z"
}
}
Error Responses
| Status | Code | Description |
|---|---|---|
| 404 | WEBHOOK_NOT_FOUND | Webhook not found |
Update Webhook
PUT /api/v1/applications/{applicationId}/webhooks/{webhookId}
Update a webhook's URL, subscribed events, or active status. All fields are optional.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
url | string (URL) | No | New endpoint URL |
events | array of strings | No | New event subscription list. Replaces existing subscriptions. |
is_active | boolean | No | Enable or disable the webhook |
Response
200 OK
{
"data": {
"id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
"url": "https://example.com/webhooks/yorauth-v2",
"events": ["user.created", "user.deleted"],
"is_active": true,
"created_at": "2026-02-25T12:00:00Z",
"updated_at": "2026-02-25T14:00:00Z"
}
}
Error Responses
| Status | Code | Description |
|---|---|---|
| 404 | WEBHOOK_NOT_FOUND | Webhook not found |
Delete Webhook
DELETE /api/v1/applications/{applicationId}/webhooks/{webhookId}
Delete a webhook configuration. Pending deliveries will not be retried.
Response
204 No Content
Error Responses
| Status | Code | Description |
|---|---|---|
| 404 | WEBHOOK_NOT_FOUND | Webhook not found |
List Deliveries
GET /api/v1/applications/{applicationId}/webhooks/{webhookId}/deliveries
List the 50 most recent delivery attempts for a webhook, ordered by most recent first.
Response
200 OK
{
"data": [
{
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"event": "user.created",
"response_status": 200,
"delivered_at": "2026-02-25T12:00:05Z",
"retry_count": 0,
"created_at": "2026-02-25T12:00:00Z"
},
{
"id": "b2c3d4e5-f6a7-8901-bcde-f12345678901",
"event": "user.login",
"response_status": 500,
"delivered_at": null,
"retry_count": 3,
"created_at": "2026-02-25T11:00:00Z"
}
]
}
Error Responses
| Status | Code | Description |
|---|---|---|
| 404 | WEBHOOK_NOT_FOUND | Webhook not found |