Webhooks

Get notified when events happen in AuthFI. Webhooks send HTTP POST requests to your URL with event data, signed with HMAC-SHA256.

Events

Event	Trigger
user.created	New user registered or provisioned
user.updated	User profile changed
user.deleted	User deactivated/deleted
user.blocked	User blocked after failed logins
login.success	Successful authentication
login.failed	Failed authentication attempt
mfa.enrolled	User enrolled MFA
role.assigned	Role assigned to user
role.removed	Role removed from user
connection.created	SSO connection configured

Payload

{
  "id": "event-uuid",
  "type": "user.created",
  "tenant_id": "tenant-uuid",
  "timestamp": "2026-03-22T10:30:00Z",
  "data": {
    "user_id": "user-uuid",
    "email": "alice@acme.com",
    "name": "Alice Chen"
  }
}

Signature Verification

Every webhook includes an X-AuthFI-Signature header:

X-AuthFI-Signature: sha256=a1b2c3d4e5f6...

Verify it in your handler:

const crypto = require('crypto');

function verifyWebhook(body, signature, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Delivery & Retry

• Webhooks are delivered within seconds of the event
• Failed deliveries (non-2xx response) are retried with exponential backoff
• Delivery history is available via the Management API
• You can inspect response codes and bodies for debugging