Skip to content

Understanding webhooks
Preview

Webhooks enable your applications to receive instant notifications from Asgardeo, allowing you to respond immediately to important identity-related events. Common use cases for Asgardeo webhooks include:

  • Automatically provision users or send welcome notifications upon successful user registration.
  • Update external user directories or CRM systems whenever a user profile changes.
  • Notify external services or security teams immediately upon password changes or resets.
  • Integrate with SIEM systems to instantly detect and respond to suspicious login attempts or failed authentications.

Using webhooks, you can seamlessly integrate external systems with Asgardeo's identity flows. When an event happens, Asgardeo immediately sends HTTP callbacks to your configured webhook endpoints.

Asgardeo webhooks use the WebSubHub protocol for secure and reliable event delivery.

Note

This feature is currently in Preview. Functionality and event payloads may change during development.
Expect updates without prior notice.

How webhooks work

When an identity-related event (for example user registration, login success, profile update) occurs within Asgardeo, it automatically generates a notification event. Asgardeo sends this event as an HTTP request to your configured webhook URL. The request contains detailed information encoded in a structured JSON payload.

Webhook event types

Asgardeo supports webhooks for identity-related events categorized as follows:

  • Login events
    • Login success
    • Login failure
  • Registration events
    • Registration success
    • Registration failure
  • Token events
    • Access token issued
    • Access token revoked
  • Session events
    • Session established
    • Session presented
    • Session revoked
  • Credential events
    • Credential updates
  • User Account Management events
    • User profile updates
    • User account status changes (lock/unlock, enable/disable, delete)

Each webhook event payload includes structured details compliant with the Security Event Token (SET) specification (RFC 8417), containing issuer information, timestamp, unique identifiers, user and organization context, and event-specific metadata.