FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-minute Setup Guide
      • Overview
      • Docker
      • Fast Path
      • Sandbox
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Marketplaces
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Microsoft Azure AD B2C
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Releases
    • Roadmap
    • Search And FusionAuth
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
    • WebAuthn
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Amazon Cognito
        • Azure AD
        • Discord
        • Github
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
        • Azure AD
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
      • OAuth Modes
    • Passwordless
      • Overview
      • Magic Links
      • WebAuthn & Passkeys
    • SAML v2 IdP
      • Overview
      • Google
      • Zendesk
  • Developer Guide
    • Overview
    • API Gateways
      • Overview
      • ngrok Cloud Edge
    • Client Libraries & SDKs
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • React
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • Group Create
        • Group Create Complete
        • Group Delete
        • Group Delete Complete
        • Group Update
        • Group Update Complete
        • Group Member Add
        • Group Member Add Complete
        • Group Member Remove
        • Group Member Remove Complete
        • Group Member Update
        • Group Member Update Complete
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Authentication Tokens
      • Exposing A Local Instance
      • JSON Web Tokens
      • Key Master
      • Localization and Internationalization
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Registration-based Email Verification
      • Searching With Elasticsearch
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
      • Two Factor (pre 1.26)
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • User Control & Gating
      • Overview
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
  • Premium Features
    • Overview
    • Advanced Registration Forms
    • Advanced Threat Detection
    • Application Specific Themes
    • Breached Password Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • Azure AD Client
      • Okta Client
      • SCIM-SDK
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Add WebAuthn Passkey
      • Customizing
      • Troubleshooting
    • WebAuthn
  • APIs
    • Overview
    • Authentication
    • Errors
    • API Explorer
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM User
      • SCIM Group
      • SCIM EnterpriseUser
      • SCIM Service Provider Config.
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • WebAuthn
    • Webhooks
  • Release Notes

    Webhook APIs

    Overview

    A FusionAuth Webhook is intended to consume JSON events emitted by FusionAuth. Creating a Webhook allows you to tell FusionAuth where you would like to receive these JSON events.

    Webhooks provides a publish - subscribe style integration with FusionAuth. Creating a Webhook is the subscribe portion of this common messaging pattern. If you’re already using Kafka for consuming messages in your infrastructure, see our Kafka integration as well.

    These APIs that are used to manage Webhooks.

    • Create a Webhook

    • Retrieve a Webhook

    • Update a Webhook

    • Delete a Webhook

    Create a Webhook

    This API is used to create a Webhook. Specifying an Id on the URI will instruct FusionAuth to use that Id when creating the Webhook. Otherwise, FusionAuth will create a Id for the Webhook automatically.

    Request

    Create a Webhook without providing an Id. An Id will be automatically generated.

    URI

    POST /api/webhook

    Create a Webhook with the given Id.

    URI

    POST /api/webhook/{webhookId}

    Request Parameters

    webhookId [UUID] Optional defaults to secure random UUID

    The Id to use for the new Webhook. If not specified a secure random UUID will be generated.

    Request Body

    webhook.applicationIds [Array<UUID>] Optional Deprecated

    The Ids of the Applications that this Webhook should be associated with. If no Ids are specified and the global field is false, this Webhook will not be used. Typically global should be set to true.

    Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks are optionally associated with Tenants instead of Applications. See new field tenantIds.

    webhook.connectTimeout [Integer] Required

    The connection timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.data [Object] Optional Available since 1.15.0

    An object that can hold any information about the Webhook that should be persisted.

    webhook.description [String] Optional

    A description of the Webhook. This is used for display purposes only.

    webhook.eventsEnabled [Object] Optional

    A mapping for the events that are enabled for this Webhook. The key of the Object property is the name of the event and the value is a boolean. It should look like this:

    
    {
      "user.create": true,
      "user.delete": false
    }

    The possible event types are:

    • audit-log.create - When an audit log is created Available since 1.30.0

    • event-log.create - When an event log is created Available since 1.30.0

    • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

    • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

    • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

    • kickstart.success - When kickstart has successfully completed Available since 1.30.0

    • user.action - When a user action is triggered

    • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

    • user.create - When a user is created

    • user.create.complete - When a user create transaction has completed Available since 1.30.0

    • user.deactivate - When a user is deactivated

    • user.delete - When a user is deleted

    • user.delete.complete - When a user delete transaction has completed Available since 1.30.0

    • user.email.update - When a user updates their email address Available since 1.30.0

    • user.email.verified - When a user verifies their email address Available since 1.8.0

    • user.identity-provider.link - When a link is created from a user to an Identity Provider Available since 1.36.0

    • user.identity-provider.unlink - When an existing Identity Provider link is removed from a User Available since 1.36.0

    • user.loginId.duplicate.create - When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.loginId.duplicate.update - When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.failed - When a user fails a login request Available since 1.6.0

    • user.login.new-device - When a user begins a login request with a new device Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.success - When a user completes a login request Available since 1.6.0

    • user.login.suspicious - When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

      Note: A paid plan is required to utilize this event.

    • user.password.reset.send - When a forgot password email has been sent to a user Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.start - When the process to reset a user password has started Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.success - When a user has successfully reset their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.update - When a user has updated their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.reactivate - When a user is reactivated

    • user.registration.create - When a user registration is created Available since 1.6.0

    • user.registration.create.complete - When a user registration create transaction has completed Available since 1.30.0

    • user.registration.delete - When a user registration is deleted Available since 1.6.0

    • user.registration.delete.complete - When a user registration delete transaction has completed Available since 1.30.0

    • user.registration.update - When a user registration is updated Available since 1.6.0

    • user.registration.update.complete - When a user registration update transaction has completed Available since 1.30.0

    • user.registration.verified - When a user completes registration verification Available since 1.8.0

    • user.two-factor.method.add - When a user has added a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.two-factor.method.remove - When a user has removed a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.update - When a user is updated

    • user.update.complete - When a user update transaction has completed Available since 1.30.0

    webhook.global [Boolean] Optional defaults to false

    Whether or not this Webhook is used for all events or just for specific Applications. In almost all cases you want to set this field to true and filter on the application Id when processing the webhook.

    webhook.headers [Map<String, String>] Optional

    An object that contains headers that are sent as part of the HTTP request for the events.

    webhook.httpAuthenticationPassword [String] Optional

    The HTTP basic authentication password that is sent as part of the HTTP request for the events.

    webhook.httpAuthenticationUsername [String] Optional

    The HTTP basic authentication username that is sent as part of the HTTP request for the events.

    webhook.readTimeout [Integer] Required

    The read timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.sslCertificate [String] Optional

    An SSL certificate in PEM format that is used to establish the SSL (TLS specifically) connection to the Webhook.

    webhook.tenantIds [Array<UUID>] Optional Available since 1.37.0

    The Ids of the Tenants that this Webhook should be associated with. If no Ids are specified and the global field is false, this Webhook will not be used.

    webhook.url [String] Required

    The fully qualified URL of the Webhook’s endpoint that will accept the event requests from FusionAuth.

    Example Request JSON
    
    {
      "webhook": {
        "connectTimeout": 1000,
        "data": { "updatedBy" : "richard" },
        "description": "The standard game Webhook",
        "eventsEnabled": {
          "user.create": true,
          "user.delete": false
        },
        "global": false,
        "headers": {
          "Header 1": "value 1",
          "Header 2": "value 2"
        },
        "httpAuthenticationPassword": "password",
        "httpAuthenticationUsername": "username",
        "readTimeout": 2000,
        "sslCertificate": "-----BEGIN CERTIFICATE-----\nMIIDUjCCArugAwIBAgIJANZCTNN98L9ZMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZz\nZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkB\nFhFzamZkZkBsc2tkamZjLmNvbTAeFw0xNDA0MDkyMTA2MDdaFw0xNDA1MDkyMTA2\nMDdaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVy\nMQ8wDQYDVQQKEwZzZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAw\nHgYJKoZIhvcNAQkBFhFzamZkZkBsc2tkamZjLmNvbTCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAxnQBqyuYvjUE4aFQ6vVZU5RqHmy3KiTg2NcxELIlZztUTK3a\nVFbJoBB4ixHXCCYslujthILyBjgT3F+IhSpPAcrlu8O5LVPaPCysh/SNrGNwH4lq\neiW9Z5WAhRO/nG7NZNa0USPHAei6b9Sv9PxuKCY+GJfAIwlO4/bltIH06/kCAwEA\nAaOB3zCB3DAdBgNVHQ4EFgQUU4SqJEFm1zW+CcLxmLlARrqtMN0wgawGA1UdIwSB\npDCBoYAUU4SqJEFm1zW+CcLxmLlARrqtMN2hfqR8MHoxCzAJBgNVBAYTAlVTMQsw\nCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZzZXRoLXMxCjAI\nBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkBFhFzamZkZkBs\nc2tkamZjLmNvbYIJANZCTNN98L9ZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF\nBQADgYEAY/cJsi3w6R4hF4PzAXLhGOg1tzTDYvol3w024WoehJur+qM0AY6UqtoJ\nneCq9af32IKbbOKkoaok+t1+/tylQVF/0FXMTKepxaMbG22vr4TmN3idPUYYbPfW\n5GkF7Hh96BjerrtiUPGuBZL50HoLZ5aR5oZUMAu7TXhOFp+vZp8=\n-----END CERTIFICATE-----",
        "tenantIds": [
          "32306536-3036-6431-3865-646430303332",
          "30663132-6464-6665-3032-326466613934"
        ],
        "url": "http://mygameserver.local:7001/fusionauth-webhook"
      }
    }

    Response

    The response for this API contains the information for the Webhook that was created.

    Table 1. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Response Body

    webhook.applicationIds [Array<UUID>] Optional Deprecated

    The Ids of the Applications that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used. Typically global should be set to true.

    Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks are optionally associated with Tenants instead of Applications. See new field tenantIds.

    webhook.connectTimeout [Integer]

    The connection timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.data [Object] Available since 1.15.0

    An object that can hold any information about the Webhook that should be persisted.

    webhook.description [String]

    A description of the Webhook. This is used for display purposes only.

    webhook.eventsEnabled [Object]

    A mapping for the events that are enabled for this Webhook. The key of the Object property is the name of the event and the value is a boolean. It should look like this:

    
    {
      "user.create": true,
      "user.delete": false
    }

    The possible event types are:

    • audit-log.create - When an audit log is created Available since 1.30.0

    • event-log.create - When an event log is created Available since 1.30.0

    • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

    • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

    • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

    • kickstart.success - When kickstart has successfully completed Available since 1.30.0

    • user.action - When a user action is triggered

    • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

    • user.create - When a user is created

    • user.create.complete - When a user create transaction has completed Available since 1.30.0

    • user.deactivate - When a user is deactivated

    • user.delete - When a user is deleted

    • user.delete.complete - When a user delete transaction has completed Available since 1.30.0

    • user.email.update - When a user updates their email address Available since 1.30.0

    • user.email.verified - When a user verifies their email address Available since 1.8.0

    • user.identity-provider.link - When a link is created from a user to an Identity Provider Available since 1.36.0

    • user.identity-provider.unlink - When an existing Identity Provider link is removed from a User Available since 1.36.0

    • user.loginId.duplicate.create - When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.loginId.duplicate.update - When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.failed - When a user fails a login request Available since 1.6.0

    • user.login.new-device - When a user begins a login request with a new device Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.success - When a user completes a login request Available since 1.6.0

    • user.login.suspicious - When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

      Note: A paid plan is required to utilize this event.

    • user.password.reset.send - When a forgot password email has been sent to a user Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.start - When the process to reset a user password has started Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.success - When a user has successfully reset their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.update - When a user has updated their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.reactivate - When a user is reactivated

    • user.registration.create - When a user registration is created Available since 1.6.0

    • user.registration.create.complete - When a user registration create transaction has completed Available since 1.30.0

    • user.registration.delete - When a user registration is deleted Available since 1.6.0

    • user.registration.delete.complete - When a user registration delete transaction has completed Available since 1.30.0

    • user.registration.update - When a user registration is updated Available since 1.6.0

    • user.registration.update.complete - When a user registration update transaction has completed Available since 1.30.0

    • user.registration.verified - When a user completes registration verification Available since 1.8.0

    • user.two-factor.method.add - When a user has added a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.two-factor.method.remove - When a user has removed a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.update - When a user is updated

    • user.update.complete - When a user update transaction has completed Available since 1.30.0

    webhook.global [Boolean]

    Whether or not this Webhook is used for all events or just for specific Applications.

    webhook.headers [Map<String, String>]

    An object that contains headers that are sent as part of the HTTP request for the events.

    webhook.httpAuthenticationPassword [String]

    The HTTP basic authentication password that is sent as part of the HTTP request for the events.

    webhook.httpAuthenticationUsername [String]

    The HTTP basic authentication username that is sent as part of the HTTP request for the events.

    webhook.id [UUID]

    The Id of the Webhook.

    webhook.insertInstant [Long]

    The instant that the Webhook was added to the FusionAuth database.

    webhook.lastUpdateInstant [Long]

    The instant that the Webhook was last updated in the FusionAuth database.

    webhook.readTimeout [Integer]

    The read timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.sslCertificate [String]

    An SSL certificate in PEM format that is used to establish the SSL (TLS specifically) connection to the Webhook.

    webhook.tenantIds [Array<UUID>] Optional Available since 1.37.0

    The Ids of the Tenants that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used.

    webhook.url [String]

    The fully qualified URL of the Webhook’s endpoint that will accept the event requests from FusionAuth.

    Example Request JSON for a Single Webhook
    
    {
      "webhook": {
        "connectTimeout": 1000,
        "data": { "updatedBy" : "richard" },
        "description": "The standard game Webhook",
        "eventsEnabled": {
          "user.create": true,
          "user.delete": false
        },
        "global": false,
        "headers": {
          "Header 1": "value 1",
          "Header 2": "value 2"
        },
        "httpAuthenticationPassword": "password",
        "httpAuthenticationUsername": "username",
        "id": "00000000-0000-0000-0000-000000000042",
        "insertInstant": 1471786482322,
        "lastUpdateInstant": 1595361143101,
        "readTimeout": 2000,
        "sslCertificate": "-----BEGIN CERTIFICATE-----\nMIIDUjCCArugAwIBAgIJANZCTNN98L9ZMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZz\nZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkB\nFhFzamZkZkBsc2tkamZjLmNvbTAeFw0xNDA0MDkyMTA2MDdaFw0xNDA1MDkyMTA2\nMDdaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVy\nMQ8wDQYDVQQKEwZzZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAw\nHgYJKoZIhvcNAQkBFhFzamZkZkBsc2tkamZjLmNvbTCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAxnQBqyuYvjUE4aFQ6vVZU5RqHmy3KiTg2NcxELIlZztUTK3a\nVFbJoBB4ixHXCCYslujthILyBjgT3F+IhSpPAcrlu8O5LVPaPCysh/SNrGNwH4lq\neiW9Z5WAhRO/nG7NZNa0USPHAei6b9Sv9PxuKCY+GJfAIwlO4/bltIH06/kCAwEA\nAaOB3zCB3DAdBgNVHQ4EFgQUU4SqJEFm1zW+CcLxmLlARrqtMN0wgawGA1UdIwSB\npDCBoYAUU4SqJEFm1zW+CcLxmLlARrqtMN2hfqR8MHoxCzAJBgNVBAYTAlVTMQsw\nCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZzZXRoLXMxCjAI\nBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkBFhFzamZkZkBs\nc2tkamZjLmNvbYIJANZCTNN98L9ZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF\nBQADgYEAY/cJsi3w6R4hF4PzAXLhGOg1tzTDYvol3w024WoehJur+qM0AY6UqtoJ\nneCq9af32IKbbOKkoaok+t1+/tylQVF/0FXMTKepxaMbG22vr4TmN3idPUYYbPfW\n5GkF7Hh96BjerrtiUPGuBZL50HoLZ5aR5oZUMAu7TXhOFp+vZp8=\n-----END CERTIFICATE-----",
        "tenantIds": [
          "32306536-3036-6431-3865-646430303332",
          "30663132-6464-6665-3032-326466613934"
        ],
        "url": "http://mygameserver.local:7001/fusionauth-webhook"
      }
    }

    Retrieve a Webhook

    This API is used to retrieve one or all of the configured Webhooks. Specifying an Id on the URI will retrieve a single Webhook. Leaving off the Id will retrieve all of the Webhooks.

    Request

    Retrieve all of the Webhooks

    URI

    GET /api/webhook

    Retrieve a single Webhook by Id

    URI

    GET /api/webhook/{webhookId}

    Request Parameters

    webhookId [UUID] Optional

    The Id of the Webhook to retrieve.

    Response

    The response for this API contains either a single Webhook or all of the Webhooks. When you call this API with an Id the response will contain just that Webhook. When you call this API without an Id the response will contain all of the Webhooks. Both response types are defined below along with an example JSON response.

    Table 2. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    404

    The object you requested doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Response Body

    webhook.applicationIds [Array<UUID>] Optional Deprecated

    The Ids of the Applications that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used. Typically global should be set to true.

    Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks are optionally associated with Tenants instead of Applications. See new field tenantIds.

    webhook.connectTimeout [Integer]

    The connection timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.data [Object] Available since 1.15.0

    An object that can hold any information about the Webhook that should be persisted.

    webhook.description [String]

    A description of the Webhook. This is used for display purposes only.

    webhook.eventsEnabled [Object]

    A mapping for the events that are enabled for this Webhook. The key of the Object property is the name of the event and the value is a boolean. It should look like this:

    
    {
      "user.create": true,
      "user.delete": false
    }

    The possible event types are:

    • audit-log.create - When an audit log is created Available since 1.30.0

    • event-log.create - When an event log is created Available since 1.30.0

    • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

    • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

    • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

    • kickstart.success - When kickstart has successfully completed Available since 1.30.0

    • user.action - When a user action is triggered

    • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

    • user.create - When a user is created

    • user.create.complete - When a user create transaction has completed Available since 1.30.0

    • user.deactivate - When a user is deactivated

    • user.delete - When a user is deleted

    • user.delete.complete - When a user delete transaction has completed Available since 1.30.0

    • user.email.update - When a user updates their email address Available since 1.30.0

    • user.email.verified - When a user verifies their email address Available since 1.8.0

    • user.identity-provider.link - When a link is created from a user to an Identity Provider Available since 1.36.0

    • user.identity-provider.unlink - When an existing Identity Provider link is removed from a User Available since 1.36.0

    • user.loginId.duplicate.create - When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.loginId.duplicate.update - When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.failed - When a user fails a login request Available since 1.6.0

    • user.login.new-device - When a user begins a login request with a new device Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.success - When a user completes a login request Available since 1.6.0

    • user.login.suspicious - When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

      Note: A paid plan is required to utilize this event.

    • user.password.reset.send - When a forgot password email has been sent to a user Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.start - When the process to reset a user password has started Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.success - When a user has successfully reset their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.update - When a user has updated their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.reactivate - When a user is reactivated

    • user.registration.create - When a user registration is created Available since 1.6.0

    • user.registration.create.complete - When a user registration create transaction has completed Available since 1.30.0

    • user.registration.delete - When a user registration is deleted Available since 1.6.0

    • user.registration.delete.complete - When a user registration delete transaction has completed Available since 1.30.0

    • user.registration.update - When a user registration is updated Available since 1.6.0

    • user.registration.update.complete - When a user registration update transaction has completed Available since 1.30.0

    • user.registration.verified - When a user completes registration verification Available since 1.8.0

    • user.two-factor.method.add - When a user has added a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.two-factor.method.remove - When a user has removed a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.update - When a user is updated

    • user.update.complete - When a user update transaction has completed Available since 1.30.0

    webhook.global [Boolean]

    Whether or not this Webhook is used for all events or just for specific Applications.

    webhook.headers [Map<String, String>]

    An object that contains headers that are sent as part of the HTTP request for the events.

    webhook.httpAuthenticationPassword [String]

    The HTTP basic authentication password that is sent as part of the HTTP request for the events.

    webhook.httpAuthenticationUsername [String]

    The HTTP basic authentication username that is sent as part of the HTTP request for the events.

    webhook.id [UUID]

    The Id of the Webhook.

    webhook.insertInstant [Long]

    The instant that the Webhook was added to the FusionAuth database.

    webhook.lastUpdateInstant [Long]

    The instant that the Webhook was last updated in the FusionAuth database.

    webhook.readTimeout [Integer]

    The read timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.sslCertificate [String]

    An SSL certificate in PEM format that is used to establish the SSL (TLS specifically) connection to the Webhook.

    webhook.tenantIds [Array<UUID>] Optional Available since 1.37.0

    The Ids of the Tenants that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used.

    webhook.url [String]

    The fully qualified URL of the Webhook’s endpoint that will accept the event requests from FusionAuth.

    Example Request JSON for a Single Webhook
    
    {
      "webhook": {
        "connectTimeout": 1000,
        "data": { "updatedBy" : "richard" },
        "description": "The standard game Webhook",
        "eventsEnabled": {
          "user.create": true,
          "user.delete": false
        },
        "global": false,
        "headers": {
          "Header 1": "value 1",
          "Header 2": "value 2"
        },
        "httpAuthenticationPassword": "password",
        "httpAuthenticationUsername": "username",
        "id": "00000000-0000-0000-0000-000000000042",
        "insertInstant": 1471786482322,
        "lastUpdateInstant": 1595361143101,
        "readTimeout": 2000,
        "sslCertificate": "-----BEGIN CERTIFICATE-----\nMIIDUjCCArugAwIBAgIJANZCTNN98L9ZMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZz\nZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkB\nFhFzamZkZkBsc2tkamZjLmNvbTAeFw0xNDA0MDkyMTA2MDdaFw0xNDA1MDkyMTA2\nMDdaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVy\nMQ8wDQYDVQQKEwZzZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAw\nHgYJKoZIhvcNAQkBFhFzamZkZkBsc2tkamZjLmNvbTCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAxnQBqyuYvjUE4aFQ6vVZU5RqHmy3KiTg2NcxELIlZztUTK3a\nVFbJoBB4ixHXCCYslujthILyBjgT3F+IhSpPAcrlu8O5LVPaPCysh/SNrGNwH4lq\neiW9Z5WAhRO/nG7NZNa0USPHAei6b9Sv9PxuKCY+GJfAIwlO4/bltIH06/kCAwEA\nAaOB3zCB3DAdBgNVHQ4EFgQUU4SqJEFm1zW+CcLxmLlARrqtMN0wgawGA1UdIwSB\npDCBoYAUU4SqJEFm1zW+CcLxmLlARrqtMN2hfqR8MHoxCzAJBgNVBAYTAlVTMQsw\nCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZzZXRoLXMxCjAI\nBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkBFhFzamZkZkBs\nc2tkamZjLmNvbYIJANZCTNN98L9ZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF\nBQADgYEAY/cJsi3w6R4hF4PzAXLhGOg1tzTDYvol3w024WoehJur+qM0AY6UqtoJ\nneCq9af32IKbbOKkoaok+t1+/tylQVF/0FXMTKepxaMbG22vr4TmN3idPUYYbPfW\n5GkF7Hh96BjerrtiUPGuBZL50HoLZ5aR5oZUMAu7TXhOFp+vZp8=\n-----END CERTIFICATE-----",
        "tenantIds": [
          "32306536-3036-6431-3865-646430303332",
          "30663132-6464-6665-3032-326466613934"
        ],
        "url": "http://mygameserver.local:7001/fusionauth-webhook"
      }
    }

    Request Body for all the Webhooks

    webhooks[x].applicationIds [Array<UUID>] Optional Deprecated

    The Ids of the Applications that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used. Typically global should be set to true.

    Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks are optionally associated with Tenants instead of Applications. See new field tenantIds.

    webhooks[x].connectTimeout [Integer]

    The connection timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhooks[x].data [Object] Available since 1.15.0

    An object that can hold any information about the Webhook that should be persisted.

    webhooks[x].description [String]

    A description of the Webhook. This is used for display purposes only.

    webhooks[x].eventsEnabled [Object]

    A mapping for the events that are enabled for this Webhook. The key of the Object property is the name of the event and the value is a boolean. It should look like this:

    
    {
      "user.create": true,
      "user.delete": false
    }

    The possible event types are:

    • audit-log.create - When an audit log is created Available since 1.30.0

    • event-log.create - When an event log is created Available since 1.30.0

    • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

    • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

    • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

    • kickstart.success - When kickstart has successfully completed Available since 1.30.0

    • user.action - When a user action is triggered

    • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

    • user.create - When a user is created

    • user.create.complete - When a user create transaction has completed Available since 1.30.0

    • user.deactivate - When a user is deactivated

    • user.delete - When a user is deleted

    • user.delete.complete - When a user delete transaction has completed Available since 1.30.0

    • user.email.update - When a user updates their email address Available since 1.30.0

    • user.email.verified - When a user verifies their email address Available since 1.8.0

    • user.identity-provider.link - When a link is created from a user to an Identity Provider Available since 1.36.0

    • user.identity-provider.unlink - When an existing Identity Provider link is removed from a User Available since 1.36.0

    • user.loginId.duplicate.create - When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.loginId.duplicate.update - When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.failed - When a user fails a login request Available since 1.6.0

    • user.login.new-device - When a user begins a login request with a new device Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.success - When a user completes a login request Available since 1.6.0

    • user.login.suspicious - When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

      Note: A paid plan is required to utilize this event.

    • user.password.reset.send - When a forgot password email has been sent to a user Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.start - When the process to reset a user password has started Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.success - When a user has successfully reset their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.update - When a user has updated their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.reactivate - When a user is reactivated

    • user.registration.create - When a user registration is created Available since 1.6.0

    • user.registration.create.complete - When a user registration create transaction has completed Available since 1.30.0

    • user.registration.delete - When a user registration is deleted Available since 1.6.0

    • user.registration.delete.complete - When a user registration delete transaction has completed Available since 1.30.0

    • user.registration.update - When a user registration is updated Available since 1.6.0

    • user.registration.update.complete - When a user registration update transaction has completed Available since 1.30.0

    • user.registration.verified - When a user completes registration verification Available since 1.8.0

    • user.two-factor.method.add - When a user has added a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.two-factor.method.remove - When a user has removed a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.update - When a user is updated

    • user.update.complete - When a user update transaction has completed Available since 1.30.0

    webhooks[x].global [Boolean]

    Whether or not this Webhook is used for all events or just for specific Applications.

    webhooks[x].headers [Map<String, String>]

    An object that contains headers that are sent as part of the HTTP request for the events.

    webhooks[x].httpAuthenticationPassword [String]

    The HTTP basic authentication password that is sent as part of the HTTP request for the events.

    webhooks[x].httpAuthenticationUsername [String]

    The HTTP basic authentication username that is sent as part of the HTTP request for the events.

    webhooks[x].id [UUID]

    The Id of the Webhook.

    webhooks[x].insertInstant [Long]

    The instant that the Webhook was added to the FusionAuth database.

    webhooks[x].lastUpdateInstant [Long]

    The instant that the Webhook was last updated in the FusionAuth database.

    webhooks[x].readTimeout [Integer]

    The read timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhooks[x].sslCertificate [String]

    An SSL certificate in PEM format that is used to establish the SSL (TLS specifically) connection to the Webhook.

    webhook.tenantIds [Array<UUID>] Optional Available since 1.37.0

    The Ids of the Tenants that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used.

    webhooks[x].url [String]

    The fully qualified URL of the Webhook’s endpoint that will accept the event requests from FusionAuth.

    Example Request JSON for all the Webhooks
    
    {
      "webhooks": [
        {
          "connectTimeout": 1000,
          "data": { "updatedBy" : "richard" },
          "description": "The standard game Webhook",
          "eventsEnabled": {
            "user.create": true,
            "user.delete": false
          },
          "global": false,
          "headers": {
            "Header 1": "value 1",
            "Header 2": "value 2"
          },
          "httpAuthenticationPassword": "password",
          "httpAuthenticationUsername": "username",
          "id": "00000000-0000-0000-0000-000000000042",
          "insertInstant": 1471786482322,
          "lastUpdateInstant": 1595361143101,
          "readTimeout": 2000,
          "sslCertificate": "-----BEGIN CERTIFICATE-----\nMIIDUjCCArugAwIBAgIJANZCTNN98L9ZMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZz\nZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkB\nFhFzamZkZkBsc2tkamZjLmNvbTAeFw0xNDA0MDkyMTA2MDdaFw0xNDA1MDkyMTA2\nMDdaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVy\nMQ8wDQYDVQQKEwZzZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAw\nHgYJKoZIhvcNAQkBFhFzamZkZkBsc2tkamZjLmNvbTCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAxnQBqyuYvjUE4aFQ6vVZU5RqHmy3KiTg2NcxELIlZztUTK3a\nVFbJoBB4ixHXCCYslujthILyBjgT3F+IhSpPAcrlu8O5LVPaPCysh/SNrGNwH4lq\neiW9Z5WAhRO/nG7NZNa0USPHAei6b9Sv9PxuKCY+GJfAIwlO4/bltIH06/kCAwEA\nAaOB3zCB3DAdBgNVHQ4EFgQUU4SqJEFm1zW+CcLxmLlARrqtMN0wgawGA1UdIwSB\npDCBoYAUU4SqJEFm1zW+CcLxmLlARrqtMN2hfqR8MHoxCzAJBgNVBAYTAlVTMQsw\nCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZzZXRoLXMxCjAI\nBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkBFhFzamZkZkBs\nc2tkamZjLmNvbYIJANZCTNN98L9ZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF\nBQADgYEAY/cJsi3w6R4hF4PzAXLhGOg1tzTDYvol3w024WoehJur+qM0AY6UqtoJ\nneCq9af32IKbbOKkoaok+t1+/tylQVF/0FXMTKepxaMbG22vr4TmN3idPUYYbPfW\n5GkF7Hh96BjerrtiUPGuBZL50HoLZ5aR5oZUMAu7TXhOFp+vZp8=\n-----END CERTIFICATE-----",
          "tenantIds": [
            "32306536-3036-6431-3865-646430303332",
            "30663132-6464-6665-3032-326466613934"
          ],
          "url": "http://mygameserver.local:7001/fusionauth-webhook"
        }
      ]
    }

    Update a Webhook

    This API is used to update an existing Webhook.

    You must specify the Id of the Webhook you are updating on the URI.

    You must specify all of the properties of the Webhook when calling this API with the PUT HTTP method. When used with PUT, this API doesn’t merge the existing Webhook and your new data. It replaces the existing Webhook with your new data.

    Utilize the PATCH HTTP method to send specific changes to merge into an existing Webhook.

    Request

    Update a Webhook by Id

    URI

    PUT /api/webhook/{webhookId}

    PATCH /api/webhook/{webhookId}

    Available since 1.39.0

    When using the PATCH method, you can either use the same request body documentation that is provided for the PUT request for backward compatibility. Or you may use either JSON Patch/RFC 6902 or JSON Merge Patch/RFC 7396. See the PATCH documentation for more information.

    Available since 1.12.0

    When using the PATCH method, use the same request body documentation that is provided for the PUT request. The PATCH method will merge the provided request parameters into the existing object, this means all parameters are optional when using the PATCH method and you only provide the values you want changed. A null value can be used to remove a value. Patching an Array will result in all values from the new list being appended to the existing list, this is a known limitation to the current implementation of PATCH.

     

    Request Parameters

    webhookId [UUID] Required

    The Id of the Webhook to update.

    Request Body

    webhook.applicationIds [Array<UUID>] Optional Deprecated

    The Ids of the Applications that this Webhook should be associated with. If no Ids are specified and the global field is false, this Webhook will not be used. Typically global should be set to true.

    Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks are optionally associated with Tenants instead of Applications. See new field tenantIds.

    webhook.connectTimeout [Integer] Required

    The connection timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.data [Object] Optional Available since 1.15.0

    An object that can hold any information about the Webhook that should be persisted.

    webhook.description [String] Optional

    A description of the Webhook. This is used for display purposes only.

    webhook.eventsEnabled [Object] Optional

    A mapping for the events that are enabled for this Webhook. The key of the Object property is the name of the event and the value is a boolean. It should look like this:

    
    {
      "user.create": true,
      "user.delete": false
    }

    The possible event types are:

    • audit-log.create - When an audit log is created Available since 1.30.0

    • event-log.create - When an event log is created Available since 1.30.0

    • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

    • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

    • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

    • kickstart.success - When kickstart has successfully completed Available since 1.30.0

    • user.action - When a user action is triggered

    • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

    • user.create - When a user is created

    • user.create.complete - When a user create transaction has completed Available since 1.30.0

    • user.deactivate - When a user is deactivated

    • user.delete - When a user is deleted

    • user.delete.complete - When a user delete transaction has completed Available since 1.30.0

    • user.email.update - When a user updates their email address Available since 1.30.0

    • user.email.verified - When a user verifies their email address Available since 1.8.0

    • user.identity-provider.link - When a link is created from a user to an Identity Provider Available since 1.36.0

    • user.identity-provider.unlink - When an existing Identity Provider link is removed from a User Available since 1.36.0

    • user.loginId.duplicate.create - When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.loginId.duplicate.update - When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.failed - When a user fails a login request Available since 1.6.0

    • user.login.new-device - When a user begins a login request with a new device Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.success - When a user completes a login request Available since 1.6.0

    • user.login.suspicious - When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

      Note: A paid plan is required to utilize this event.

    • user.password.reset.send - When a forgot password email has been sent to a user Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.start - When the process to reset a user password has started Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.success - When a user has successfully reset their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.update - When a user has updated their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.reactivate - When a user is reactivated

    • user.registration.create - When a user registration is created Available since 1.6.0

    • user.registration.create.complete - When a user registration create transaction has completed Available since 1.30.0

    • user.registration.delete - When a user registration is deleted Available since 1.6.0

    • user.registration.delete.complete - When a user registration delete transaction has completed Available since 1.30.0

    • user.registration.update - When a user registration is updated Available since 1.6.0

    • user.registration.update.complete - When a user registration update transaction has completed Available since 1.30.0

    • user.registration.verified - When a user completes registration verification Available since 1.8.0

    • user.two-factor.method.add - When a user has added a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.two-factor.method.remove - When a user has removed a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.update - When a user is updated

    • user.update.complete - When a user update transaction has completed Available since 1.30.0

    webhook.global [Boolean] Optional defaults to false

    Whether or not this Webhook is used for all events or just for specific Applications. In almost all cases you want to set this field to true and filter on the application Id when processing the webhook.

    webhook.headers [Map<String, String>] Optional

    An object that contains headers that are sent as part of the HTTP request for the events.

    webhook.httpAuthenticationPassword [String] Optional

    The HTTP basic authentication password that is sent as part of the HTTP request for the events.

    webhook.httpAuthenticationUsername [String] Optional

    The HTTP basic authentication username that is sent as part of the HTTP request for the events.

    webhook.readTimeout [Integer] Required

    The read timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.sslCertificate [String] Optional

    An SSL certificate in PEM format that is used to establish the SSL (TLS specifically) connection to the Webhook.

    webhook.tenantIds [Array<UUID>] Optional Available since 1.37.0

    The Ids of the Tenants that this Webhook should be associated with. If no Ids are specified and the global field is false, this Webhook will not be used.

    webhook.url [String] Required

    The fully qualified URL of the Webhook’s endpoint that will accept the event requests from FusionAuth.

    Example Request JSON
    
    {
      "webhook": {
        "connectTimeout": 1000,
        "data": { "updatedBy" : "richard" },
        "description": "The standard game Webhook",
        "eventsEnabled": {
          "user.create": true,
          "user.delete": false
        },
        "global": false,
        "headers": {
          "Header 1": "value 1",
          "Header 2": "value 2"
        },
        "httpAuthenticationPassword": "password",
        "httpAuthenticationUsername": "username",
        "readTimeout": 2000,
        "sslCertificate": "-----BEGIN CERTIFICATE-----\nMIIDUjCCArugAwIBAgIJANZCTNN98L9ZMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZz\nZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkB\nFhFzamZkZkBsc2tkamZjLmNvbTAeFw0xNDA0MDkyMTA2MDdaFw0xNDA1MDkyMTA2\nMDdaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVy\nMQ8wDQYDVQQKEwZzZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAw\nHgYJKoZIhvcNAQkBFhFzamZkZkBsc2tkamZjLmNvbTCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAxnQBqyuYvjUE4aFQ6vVZU5RqHmy3KiTg2NcxELIlZztUTK3a\nVFbJoBB4ixHXCCYslujthILyBjgT3F+IhSpPAcrlu8O5LVPaPCysh/SNrGNwH4lq\neiW9Z5WAhRO/nG7NZNa0USPHAei6b9Sv9PxuKCY+GJfAIwlO4/bltIH06/kCAwEA\nAaOB3zCB3DAdBgNVHQ4EFgQUU4SqJEFm1zW+CcLxmLlARrqtMN0wgawGA1UdIwSB\npDCBoYAUU4SqJEFm1zW+CcLxmLlARrqtMN2hfqR8MHoxCzAJBgNVBAYTAlVTMQsw\nCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZzZXRoLXMxCjAI\nBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkBFhFzamZkZkBs\nc2tkamZjLmNvbYIJANZCTNN98L9ZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF\nBQADgYEAY/cJsi3w6R4hF4PzAXLhGOg1tzTDYvol3w024WoehJur+qM0AY6UqtoJ\nneCq9af32IKbbOKkoaok+t1+/tylQVF/0FXMTKepxaMbG22vr4TmN3idPUYYbPfW\n5GkF7Hh96BjerrtiUPGuBZL50HoLZ5aR5oZUMAu7TXhOFp+vZp8=\n-----END CERTIFICATE-----",
        "tenantIds": [
          "32306536-3036-6431-3865-646430303332",
          "30663132-6464-6665-3032-326466613934"
        ],
        "url": "http://mygameserver.local:7001/fusionauth-webhook"
      }
    }

    Response

    The response for this API contains the new information for the Webhook that was updated.

    Table 3. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Response Body

    webhook.applicationIds [Array<UUID>] Optional Deprecated

    The Ids of the Applications that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used. Typically global should be set to true.

    Removed in version 1.37.0 In version 1.37.0 and beyond, Webhooks are optionally associated with Tenants instead of Applications. See new field tenantIds.

    webhook.connectTimeout [Integer]

    The connection timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.data [Object] Available since 1.15.0

    An object that can hold any information about the Webhook that should be persisted.

    webhook.description [String]

    A description of the Webhook. This is used for display purposes only.

    webhook.eventsEnabled [Object]

    A mapping for the events that are enabled for this Webhook. The key of the Object property is the name of the event and the value is a boolean. It should look like this:

    
    {
      "user.create": true,
      "user.delete": false
    }

    The possible event types are:

    • audit-log.create - When an audit log is created Available since 1.30.0

    • event-log.create - When an event log is created Available since 1.30.0

    • jwt.public-key.update - When a JWT RSA Public / Private keypair may have been changed

    • jwt.refresh - When an access token is refreshed using a refresh token Available since 1.16.0

    • jwt.refresh-token.revoke - When a JWT Refresh Token is revoked

    • kickstart.success - When kickstart has successfully completed Available since 1.30.0

    • user.action - When a user action is triggered

    • user.bulk.create - When multiple users are created in bulk (i.e. during an import)

    • user.create - When a user is created

    • user.create.complete - When a user create transaction has completed Available since 1.30.0

    • user.deactivate - When a user is deactivated

    • user.delete - When a user is deleted

    • user.delete.complete - When a user delete transaction has completed Available since 1.30.0

    • user.email.update - When a user updates their email address Available since 1.30.0

    • user.email.verified - When a user verifies their email address Available since 1.8.0

    • user.identity-provider.link - When a link is created from a user to an Identity Provider Available since 1.36.0

    • user.identity-provider.unlink - When an existing Identity Provider link is removed from a User Available since 1.36.0

    • user.loginId.duplicate.create - When a request to create a user with a login Id (email or username) which is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.loginId.duplicate.update - When a request to update a user and change their login Id (email or username) to one that is already in use has been received Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.failed - When a user fails a login request Available since 1.6.0

    • user.login.new-device - When a user begins a login request with a new device Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.login.success - When a user completes a login request Available since 1.6.0

    • user.login.suspicious - When a user logs in and is considered to be a potential threat (requires an activated Enterprise license) Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.breach - When Reactor detects a user is using a potentially breached password (requires an activated license) Available since 1.15.0

      Note: A paid plan is required to utilize this event.

    • user.password.reset.send - When a forgot password email has been sent to a user Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.start - When the process to reset a user password has started Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.reset.success - When a user has successfully reset their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.password.update - When a user has updated their password Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.reactivate - When a user is reactivated

    • user.registration.create - When a user registration is created Available since 1.6.0

    • user.registration.create.complete - When a user registration create transaction has completed Available since 1.30.0

    • user.registration.delete - When a user registration is deleted Available since 1.6.0

    • user.registration.delete.complete - When a user registration delete transaction has completed Available since 1.30.0

    • user.registration.update - When a user registration is updated Available since 1.6.0

    • user.registration.update.complete - When a user registration update transaction has completed Available since 1.30.0

    • user.registration.verified - When a user completes registration verification Available since 1.8.0

    • user.two-factor.method.add - When a user has added a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.two-factor.method.remove - When a user has removed a two-factor method Available since 1.30.0

      Note: An Enterprise plan is required to utilize this event.

    • user.update - When a user is updated

    • user.update.complete - When a user update transaction has completed Available since 1.30.0

    webhook.global [Boolean]

    Whether or not this Webhook is used for all events or just for specific Applications.

    webhook.headers [Map<String, String>]

    An object that contains headers that are sent as part of the HTTP request for the events.

    webhook.httpAuthenticationPassword [String]

    The HTTP basic authentication password that is sent as part of the HTTP request for the events.

    webhook.httpAuthenticationUsername [String]

    The HTTP basic authentication username that is sent as part of the HTTP request for the events.

    webhook.id [UUID]

    The Id of the Webhook.

    webhook.insertInstant [Long]

    The instant that the Webhook was added to the FusionAuth database.

    webhook.lastUpdateInstant [Long]

    The instant that the Webhook was last updated in the FusionAuth database.

    webhook.readTimeout [Integer]

    The read timeout in milliseconds used when FusionAuth sends events to the Webhook.

    webhook.sslCertificate [String]

    An SSL certificate in PEM format that is used to establish the SSL (TLS specifically) connection to the Webhook.

    webhook.tenantIds [Array<UUID>] Optional Available since 1.37.0

    The Ids of the Tenants that this Webhook is associated with. If no Ids are returned and the global field is false, this Webhook is not used.

    webhook.url [String]

    The fully qualified URL of the Webhook’s endpoint that will accept the event requests from FusionAuth.

    Example Request JSON for a Single Webhook
    
    {
      "webhook": {
        "connectTimeout": 1000,
        "data": { "updatedBy" : "richard" },
        "description": "The standard game Webhook",
        "eventsEnabled": {
          "user.create": true,
          "user.delete": false
        },
        "global": false,
        "headers": {
          "Header 1": "value 1",
          "Header 2": "value 2"
        },
        "httpAuthenticationPassword": "password",
        "httpAuthenticationUsername": "username",
        "id": "00000000-0000-0000-0000-000000000042",
        "insertInstant": 1471786482322,
        "lastUpdateInstant": 1595361143101,
        "readTimeout": 2000,
        "sslCertificate": "-----BEGIN CERTIFICATE-----\nMIIDUjCCArugAwIBAgIJANZCTNN98L9ZMA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZz\nZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkB\nFhFzamZkZkBsc2tkamZjLmNvbTAeFw0xNDA0MDkyMTA2MDdaFw0xNDA1MDkyMTA2\nMDdaMHoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVy\nMQ8wDQYDVQQKEwZzZXRoLXMxCjAIBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAw\nHgYJKoZIhvcNAQkBFhFzamZkZkBsc2tkamZjLmNvbTCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAxnQBqyuYvjUE4aFQ6vVZU5RqHmy3KiTg2NcxELIlZztUTK3a\nVFbJoBB4ixHXCCYslujthILyBjgT3F+IhSpPAcrlu8O5LVPaPCysh/SNrGNwH4lq\neiW9Z5WAhRO/nG7NZNa0USPHAei6b9Sv9PxuKCY+GJfAIwlO4/bltIH06/kCAwEA\nAaOB3zCB3DAdBgNVHQ4EFgQUU4SqJEFm1zW+CcLxmLlARrqtMN0wgawGA1UdIwSB\npDCBoYAUU4SqJEFm1zW+CcLxmLlARrqtMN2hfqR8MHoxCzAJBgNVBAYTAlVTMQsw\nCQYDVQQIEwJDTzEPMA0GA1UEBxMGZGVudmVyMQ8wDQYDVQQKEwZzZXRoLXMxCjAI\nBgNVBAsTAXMxDjAMBgNVBAMTBWludmVyMSAwHgYJKoZIhvcNAQkBFhFzamZkZkBs\nc2tkamZjLmNvbYIJANZCTNN98L9ZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF\nBQADgYEAY/cJsi3w6R4hF4PzAXLhGOg1tzTDYvol3w024WoehJur+qM0AY6UqtoJ\nneCq9af32IKbbOKkoaok+t1+/tylQVF/0FXMTKepxaMbG22vr4TmN3idPUYYbPfW\n5GkF7Hh96BjerrtiUPGuBZL50HoLZ5aR5oZUMAu7TXhOFp+vZp8=\n-----END CERTIFICATE-----",
        "tenantIds": [
          "32306536-3036-6431-3865-646430303332",
          "30663132-6464-6665-3032-326466613934"
        ],
        "url": "http://mygameserver.local:7001/fusionauth-webhook"
      }
    }

    Delete a Webhook

    This API is used to delete a Webhook.

    Request

    Delete a Webhook by Id

    URI

    DELETE /api/webhook/{webhookId}

    Request Parameters

    webhookId [UUID] Required

    The Id of the Webhook to delete.

    Response

    This API does not return a JSON response body.

    Table 4. Response Codes
    Code Description

    200

    The request was successful. The response will be empty.

    400

    The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.

    404

    The object you are trying to delete doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.

    © 2023 FusionAuth
    Subscribe for developer updates