Skip to content

Webhooks

Receive real-time notifications for events.

Configure Webhook

curl -X POST http://localhost:8000/api/sso/v1/webhooks \
  -H "Authorization: Bearer TOKEN" \
  -d '{
    "url": "https://yourapp.com/webhooks/usso",
    "events": ["user.created", "user.login", "session.revoked"],
    "secret": "webhook-secret-key"
  }'

Supported Events

  • user.created - New user registered
  • user.updated - User profile updated
  • user.deleted - User deleted
  • user.login - User logged in
  • user.logout - User logged out
  • session.created - New session created
  • session.revoked - Session revoked
  • role.assigned - Role assigned to user
  • workspace.created - Workspace created

Webhook Payload

{
  "id": "evt_abc123",
  "type": "user.created",
  "created_at": "2025-10-04T10:00:00Z",
  "data": {
    "user_id": "user:abc123",
    "tenant_id": "org_company",
    "identifiers": [
      {"type": "email", "identifier": "[email protected]"}
    ]
  }
}

Verify Signature

import hmac
import hashlib

def verify_webhook(payload, signature, secret):
    expected = hmac.new(
        secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, signature)

@app.post("/webhooks/usso")
def handle_webhook(request: Request):
    signature = request.headers.get("X-USSO-Signature")
    payload = await request.body()

    if not verify_webhook(payload, signature, WEBHOOK_SECRET):
        raise HTTPException(status_code=401)

    # Process webhook
    pass