Every audit event the platform emits, fanned out to webhook endpoints whose `events` array matches. 40 action types live today.
Subscribe an endpoint with {"events": ["*"]} to receive every event. Subscribe with ["organization.*"] to scope a webhook to a single namespace, or list specific actions like ["membership.role_changed", "session.created"].
Payload envelope
Every webhook body shares the same JSON envelope. Action-specific details live in metadata.
{
"id": "evt_01HX...",
"action": "organization.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…", // null if not org-scoped
"user_id": "usr_…", // null if not user-scoped
"target_type": "organization",
"target_id": "org_…",
"metadata": { /* per-action; see below */ },
"actor": {
"type": "user" | "api_key" | "system",
"id": "usr_… | apikey_… | null"
}
}
Each request also carries an Authio-Signature: v1=<hex(hmac_sha256(body))> header signed with your endpoint’s plaintext secret (returned once at creation). Verify with the helper in your SDK before trusting the body.
Index
Organizations
Lifecycle events for a tenant's customer-owned organizations. Listen for these to mirror the org graph into your own product.
Fires when an organization is created via the Management API or the dashboard.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "organization.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "organization",
"target_id": "org_…",
"metadata": {
"name": "Acme Co",
"slug": "acme"
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an organization's name, slug, or branding changes.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "organization.updated",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "organization",
"target_id": "org_…",
"metadata": {
"fields": [
"name",
"branding.logo_url"
]
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an organization is hard-deleted. Memberships are cascade-removed; their `membership.removed` events fire first.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "organization.deleted",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "organization",
"target_id": "org_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Memberships
Bindings between a user and an organization. Each fires per membership, so a user joining three orgs produces three events.
Fires when a user joins an organization (invite accepted, SCIM provision, JIT SAML).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "membership.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": "usr_…",
"target_type": "membership",
"target_id": "mem_…",
"metadata": {
"role": "member",
"source": "invitation"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when an operator changes a member's role inside an organization.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "membership.role_changed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": "usr_…",
"target_type": "membership",
"target_id": "mem_…",
"metadata": {
"from": "member",
"to": "admin"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when an operator suspends, reactivates, or otherwise transitions a membership's status without removing it.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "membership.status_changed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": "usr_…",
"target_type": "membership",
"target_id": "mem_…",
"metadata": {
"from": "active",
"to": "suspended"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when a user is removed from an organization (operator action, SCIM deprovision, organization deletion).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "membership.removed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": "usr_…",
"target_type": "membership",
"target_id": "mem_…",
"metadata": {},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Invitations
Surface invitation lifecycle if you mirror outstanding invites elsewhere.
Fires when an invitation is sent. Includes the invite token target email.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "invitation.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "invitation",
"target_id": "inv_…",
"metadata": {
"email": "new@acme.test",
"role": "member"
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Sessions
Authentication events emitted by auth-core. Useful for security analytics and 'currently signed in' dashboards.
Fires when a fresh session is minted (any primary method: passkey, magic link, OAuth, SAML).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "session.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"active_org_id": "org_abc",
"method": "passkey"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires the first time a session picks an active organization (for a user with multiple memberships).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "session.org_selected",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires every time an already-authenticated session swaps its active organization to a different membership.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "session.org_switched",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"from_org_id": "org_abc",
"to_org_id": "org_xyz"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when the refresh token rotates and a new access token is minted.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "session.refreshed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Authentication
Per-attempt signals from the risk engine and step-up sub-flows.
Fires on every primary sign-in attempt, before the risk decision is rendered.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "auth.signin_attempt",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"method": "magic_link",
"ip": "203.0.113.5"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when the risk engine returns `deny` instead of allow / step-up.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "auth.denied_by_risk",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"reasons": [
"bot_signal",
"tor_exit"
]
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when a sign-in is held back for a second factor (passkey or magic link confirmation).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "auth.step_up_required",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"challenge_id": "sup_…",
"required_method": "passkey",
"reasons": [
"new_device"
]
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when the user requests the magic-link variant of an outstanding step-up challenge.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "auth.step_up_magic_link_sent",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"challenge_id": "sup_…"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when a step-up challenge is consumed and the withheld session is finally minted.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "auth.step_up_satisfied",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"challenge_id": "sup_…",
"original_method": "magic_link",
"step_up_method": "passkey"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Account recovery
Backup-code and time-locked recovery flows. Listen for these to alert security teams when recovery is used.
Fires when a user successfully redeems a backup recovery code.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "recovery.code.consumed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"code_id": "rcv_…"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when a code is presented that doesn't match any unused row for the user.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "recovery.code.failed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"reason": "no_match"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when a user kicks off a time-locked or admin-approved recovery request.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "recovery.request.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"kind": "time_lock",
"unlocks_at": "2026-05-15T03:00:00Z"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when an admin approves a pending recovery request.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "recovery.request.approved",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when an admin denies a pending recovery request.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "recovery.request.denied",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when an approved/unlocked recovery request is exchanged for a session.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "recovery.request.consumed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Passkeys
Per-passkey lifecycle, surfaced for self-service security audits.
Fires when a user changes the friendly label on one of their passkeys.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "passkey.renamed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"credential_id": "cred_…",
"from": "iPhone",
"to": "Personal phone"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when a user revokes a passkey (does not fire on the last passkey — that is refused server-side).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "passkey.revoked",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"credential_id": "cred_…"
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
SSO and Admin Portal
Events tied to the customer self-service SSO experience.
Fires when the platform issues an Admin Portal entry token for a customer-side admin.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "admin_portal.token.minted",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "admin_portal_token",
"target_id": "adm_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires the first time a portal entry token is used.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "admin_portal.token.consumed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "admin_portal_token",
"target_id": "adm_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
SCIM directories
Lifecycle for directory-of-record integrations from customer-side IdPs (Okta, Entra, JumpCloud, Rippling, ...).
Fires when a SCIM directory + bearer token is minted (one-time visible token).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "scim.directory.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "scim_directory",
"target_id": "sci_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an operator revokes a SCIM directory (subsequent SCIM calls 401).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "scim.directory.revoked",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": "org_…",
"user_id": null,
"target_type": "scim_directory",
"target_id": "sci_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Webhook endpoints
Endpoint-lifecycle events. These are deliberately fan-out targets so an operations endpoint can watch other endpoints.
Fires when an endpoint is created. The plaintext signing secret is returned to the caller exactly once and is not in the payload.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "webhook.endpoint.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": "webhook_endpoint",
"target_id": "web_…",
"metadata": {
"url": "https://app.example.com/hooks/authio",
"events": [
"organization.*"
]
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an operator rotates the signing secret. Older deliveries continue to sign with the new secret on the next attempt.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "webhook.endpoint.secret_rotated",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": "webhook_endpoint",
"target_id": "web_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an endpoint is revoked. The worker stops scheduling new deliveries for it immediately.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "webhook.endpoint.revoked",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": "webhook_endpoint",
"target_id": "web_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an operator triggers a replay for a single delivery row.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "webhook.delivery.replayed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": "webhook_delivery",
"target_id": "web_…",
"metadata": {
"delivery_id": "del_…",
"original_attempts": 5
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Audit streams
Fan-out destinations for audit_events (the same firehose this page documents). Useful if you sink logs into another tool.
Fires when an audit stream is configured (stdout, generic_webhook, ...).
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "audit_stream.created",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": "audit_stream",
"target_id": "aud_…",
"metadata": {
"destination": "generic_webhook",
"name": "siem-prod"
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an audit stream is paused or removed.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "audit_stream.revoked",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": "audit_stream",
"target_id": "aud_…",
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
CLI device codes
Per-developer CLI sign-in events. Mostly internal but useful in regulated environments.
Fires when a developer approves an `authio login` device code in the dashboard.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "cli.device_code.approved",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {
"code": "ABCD-1234",
"expires_in_seconds": 600
},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Fires when a device code is denied or expires without approval.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "cli.device_code.denied",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": "usr_…",
"target_type": null,
"target_id": null,
"metadata": {},
"actor": {
"type": "user",
"id": "usr_…"
}
}
Dashboard operators
Allow-list of humans who can sign into the operator dashboard.
Fires on first-operator bootstrap via the one-shot bootstrap token. Only ever emitted once per project.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "dashboard_operator.bootstrapped",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": null,
"target_id": null,
"metadata": {},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an existing operator adds a new email to the dashboard allow-list.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "dashboard_operator.added",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": null,
"target_id": null,
"metadata": {
"email": "new@authio.test"
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Fires when an operator is removed from the allow-list.
Sample payload
{
"id": "evt_01HXAMPL...",
"action": "dashboard_operator.removed",
"created_at": "2026-05-14T18:42:13.001Z",
"project_id": "proj_2eh2n8gh33c0hxs1",
"organization_id": null,
"user_id": null,
"target_type": null,
"target_id": null,
"metadata": {
"email": "old@authio.test"
},
"actor": {
"type": "api_key",
"id": "apikey_…"
}
}
Don’t see an event you need? Open an issue against authio_proto and the team will scope it for an upcoming release.