Webhooks

Events

All available webhook event types and their payload structures.

Event Envelope

Every event uses the same top-level structure:

json
{
  "event": "user.created",
  "data": { ... },
  "timestamp": "2026-01-15T10:30:00.000Z"
}

User Events

user.created

Fired when a new user signs up for the first time or is created via the API.

event.data
json
{
  "event": "user.created",
  "data": {
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe",
      "emailVerified": false,
      "isBanned": false,
      "avatarUrl": null,
      "publicMetadata": null,
      "createdAt": "2026-01-15T10:30:00.000Z",
      "updatedAt": "2026-01-15T10:30:00.000Z"
    }
  },
  "timestamp": "2026-01-15T10:30:00.000Z"
}
user.updated

Fired when a user's profile or metadata is updated.

event.data
json
{
  "event": "user.updated",
  "data": {
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe (Updated)",
      "emailVerified": true,
      "isBanned": false,
      "avatarUrl": "https:0
      10: { 11: "pro" },
      "createdAt": "2026-01-15T10:30:00.000Z",
      "updatedAt": "2026-01-16T09:00:00.000Z"
    }
  },
  "timestamp": "2026-01-16T09:00:00.000Z"
}
user.deleted

Fired when a user account is permanently deleted. The data field contains a snapshot of the user before deletion.

event.data
json
{
  "event": "user.deleted",
  "data": {
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe",
      "createdAt": "2026-01-15T10:30:00.000Z"
    }
  },
  "timestamp": "2026-01-20T11:00:00.000Z"
}
user.signin

Fired when a user signs in successfully via email/password or OAuth.

event.data
json
{
  "event": "user.signin",
  "data": {
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe",
      "emailVerified": true,
      "isBanned": false
    }
  },
  "timestamp": "2026-01-15T10:30:00.000Z"
}
user.signout

Fired when a user explicitly signs out.

event.data
json
{
  "event": "user.signout",
  "data": {
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe",
      "emailVerified": true,
      "isBanned": false
    }
  },
  "timestamp": "2026-01-15T12:00:00.000Z"
}
user.banned

Fired when a user is banned by an admin. All active sessions are revoked.

event.data
json
{
  "event": "user.banned",
  "data": {
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe",
      "isBanned": true
    }
  },
  "timestamp": "2026-01-15T10:30:00.000Z"
}
user.unbanned

Fired when a ban is lifted from a user.

event.data
json
{
  "event": "user.unbanned",
  "data": {
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe",
      "isBanned": false
    }
  },
  "timestamp": "2026-01-16T10:00:00.000Z"
}

Session Events

session.created

Fired when a new session is created — on sign in or token refresh.

event.data
json
{
  "event": "session.created",
  "data": {
    "session": {
      "id": "sess_abc123",
      "userId": "usr_abc123",
      "ipAddress": "203.0.113.1",
      "userAgent": "Mozilla/5.0...",
      "createdAt": "2026-01-15T10:30:00.000Z"
    },
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe"
    }
  },
  "timestamp": "2026-01-15T10:30:00.000Z"
}
session.revoked

Fired when a session is revoked — on sign out or admin force-revoke.

event.data
json
{
  "event": "session.revoked",
  "data": {
    "session": {
      "id": "sess_abc123",
      "userId": "usr_abc123",
      "ipAddress": "203.0.113.1",
      "userAgent": "Mozilla/5.0...",
      "createdAt": "2026-01-15T10:30:00.000Z"
    },
    "user": {
      "id": "usr_abc123",
      "email": "user@example.com",
      "displayName": "John Doe"
    }
  },
  "timestamp": "2026-01-15T11:00:00.000Z"
}

Action to Event Mapping

The table below shows which SDK actions and dashboard operations trigger which events.

ActionEvents Fired
SDK: signup()user.created + session.created
SDK: signin()user.signin + session.created
SDK: signout()user.signout + session.revoked
SDK: OAuth login (new user)user.created + session.created
SDK: OAuth login (existing user)user.signin + session.created
SDK: refreshTokens()session.revoked + session.created
Dashboard: Ban useruser.banned
Dashboard: Unban useruser.unbanned
Dashboard: Delete useruser.deleted
Dashboard: Update metadatauser.updated
Backend API: Create useruser.created
Backend API: Update useruser.updated
Backend API: Delete useruser.deleted
Backend API: Ban useruser.banned
Backend API: Unban useruser.unbanned
SDK: revokeSession()session.revoked

Handler Example

A minimal event handler covering the most common user sync cases:

routes/webhooks.ts
const { event, data } = JSON.parse(req.body.toString());

switch (event) {
  case "user.created":
    await db.users.create({ authonId: data.user.id, email: data.user.email });
    break;
  case "user.updated":
    await db.users.update({ authonId: data.user.id }, { name: data.user.displayName });
    break;
  case "user.deleted":
    await db.users.delete({ authonId: data.user.id });
    break;
  case "user.banned":
    await db.users.update({ authonId: data.user.id }, { suspended: true });
    break;
  case "user.unbanned":
    await db.users.update({ authonId: data.user.id }, { suspended: false });
    break;
  case "session.created":
    console.log(`${data.user.email} signed in from ${data.session.ipAddress}`);
    break;
}
Authon — Universal Authentication Platform