Events

YorAuth fires webhook events when important things happen in your application. Subscribe to the events relevant to your use case when creating a webhook.

Payload Structure

Every webhook delivery has the same top-level envelope regardless of event type:

json

{
  "event": "user.created",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    ...
  }
}

Field	Type	Description
`event`	string	The event type identifier (e.g. `user.created`).
`timestamp`	string	ISO 8601 timestamp of when the event occurred.
`data`	object	Event-specific payload. See each event below.

User Events

`user.created`

Fires when a new user registers in your application.

json

{
  "event": "user.created",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "email": "jane@example.com",
    "name": "Jane Smith"
  }
}

`user.login`

Fires when a user successfully authenticates (password, magic link, OAuth, passkey, or MFA completion).

json

{
  "event": "user.login",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "email": "jane@example.com"
  }
}

`user.updated`

Fires when a user's profile is updated (e.g. name or email change).

json

{
  "event": "user.updated",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "email": "jane@example.com",
    "name": "Jane Smith"
  }
}

`user.deleted`

Fires when a user account is permanently deleted (including GDPR erasure).

json

{
  "event": "user.deleted",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "email": "jane@example.com"
  }
}

Role Events

`role.assigned`

Fires when a role is assigned to a user.

json

{
  "event": "role.assigned",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "role_id": "rol_abc123",
    "role_name": "admin",
    "scope": null
  }
}

`role.removed`

Fires when a role is removed from a user.

json

{
  "event": "role.removed",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "role_id": "rol_abc123",
    "scope": null
  }
}

`role.created`

Fires when a new role is created in your application.

json

{
  "event": "role.created",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "role_id": "rol_abc123",
    "role_name": "editor",
    "display_name": "Editor"
  }
}

`role.updated`

Fires when an existing role is modified.

json

{
  "event": "role.updated",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "role_id": "rol_abc123",
    "role_name": "editor",
    "display_name": "Content Editor"
  }
}

`role.deleted`

Fires when a role is permanently deleted.

json

{
  "event": "role.deleted",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "role_id": "rol_abc123",
    "role_name": "editor"
  }
}

Permission Events

`permission.granted`

Fires when a permission is added to a role.

json

{
  "event": "permission.granted",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "role_id": "rol_abc123",
    "role_name": "editor",
    "permission": "posts:write"
  }
}

`permission.revoked`

Fires when a permission is removed from a role.

json

{
  "event": "permission.revoked",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "role_id": "rol_abc123",
    "role_name": "editor",
    "permission": "posts:delete"
  }
}

OAuth Connection Events

`connection.created`

Fires when a user connects a social login provider (e.g. Google, GitHub).

json

{
  "event": "connection.created",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "connection_id": "con_def456",
    "user_id": "usr_01hnxyz",
    "provider": "google",
    "provider_user_info": {
      "id": "1234567890",
      "email": "jane@gmail.com",
      "name": "Jane Smith"
    }
  }
}

`connection.refreshed`

Fires when an OAuth access token is refreshed for a connected provider.

json

{
  "event": "connection.refreshed",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "connection_id": "con_def456",
    "user_id": "usr_01hnxyz",
    "provider": "google",
    "expires_at": "2026-02-25T13:00:00+00:00"
  }
}

`connection.failed`

Fires when a token refresh attempt fails for a connected provider.

json

{
  "event": "connection.failed",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "connection_id": "con_def456",
    "user_id": "usr_01hnxyz",
    "provider": "google",
    "failed_refresh_count": 3,
    "last_error": "invalid_grant"
  }
}

`connection.revoked`

Fires when a user disconnects a social login provider.

json

{
  "event": "connection.revoked",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "connection_id": "con_def456",
    "user_id": "usr_01hnxyz",
    "provider": "google"
  }
}

Auth Events

`consent.granted`

Fires when a user grants OIDC consent to an application (client authorization).

json

{
  "event": "consent.granted",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "client_id": "oidc_client_abc",
    "scopes": ["openid", "profile", "email"],
    "type": "explicit"
  }
}

`mfa.enabled`

Fires when a user enables a multi-factor authentication method.

json

{
  "event": "mfa.enabled",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "method_type": "totp"
  }
}

`mfa.disabled`

Fires when a user disables a multi-factor authentication method.

json

{
  "event": "mfa.disabled",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "method_type": "totp"
  }
}

Policy Events

`policy.created`

Fires when an ABAC policy is created.

json

{
  "event": "policy.created",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "policy_id": "pol_ghi789",
    "policy_name": "Premium content access",
    "permission_id": "perm_xyz",
    "expression_type": "cel",
    "is_active": true
  }
}

`policy.updated`

Fires when an ABAC policy is modified.

json

{
  "event": "policy.updated",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "policy_id": "pol_ghi789",
    "policy_name": "Premium content access",
    "permission_id": "perm_xyz",
    "expression_type": "cel",
    "is_active": false
  }
}

`policy.deleted`

Fires when an ABAC policy is permanently deleted.

json

{
  "event": "policy.deleted",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "policy_id": "pol_ghi789",
    "policy_name": "Premium content access",
    "permission_id": "perm_xyz"
  }
}

User Attribute Events

`attribute.set`

Fires when a custom attribute is set on a user.

json

{
  "event": "attribute.set",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "key": "plan",
    "value": "pro"
  }
}

`attribute.deleted`

Fires when a custom attribute is removed from a user.

json

{
  "event": "attribute.deleted",
  "timestamp": "2026-02-25T12:00:00+00:00",
  "data": {
    "user_id": "usr_01hnxyz",
    "key": "plan"
  }
}

Complete Event List

Event	Category
`user.created`	User
`user.login`	User
`user.updated`	User
`user.deleted`	User
`role.assigned`	Role
`role.removed`	Role
`role.created`	Role
`role.updated`	Role
`role.deleted`	Role
`permission.granted`	Permission
`permission.revoked`	Permission
`connection.created`	OAuth Connection
`connection.refreshed`	OAuth Connection
`connection.failed`	OAuth Connection
`connection.revoked`	OAuth Connection
`consent.granted`	Auth
`mfa.enabled`	Auth
`mfa.disabled`	Auth
`policy.created`	Policy
`policy.updated`	Policy
`policy.deleted`	Policy
`attribute.set`	User Attribute
`attribute.deleted`	User Attribute