Using Hanko webhooks

This feature is only available in the Pro or Enterprise plans.

About webhooks

Webhooks enable real-time event subscriptions within your Hanko project, automatically delivering event data to your server whenever authentication events occur. This facilitates user data synchronization and custom workflow automation. Create webhooks by specifying a callback URL and selecting events to monitor. When subscribed events occur, Hanko sends HTTP POST requests with event data to your specified endpoint. Your application can then process this data through a publicly accessible HTTPS endpoint.

High level overview of creating webhooks and handling webhook deliveries

Creating webhooks

Set up webhooks through these steps:

Access webhook settings

Configure your webhook

Click Create webhook, enter your callback URL, and select events for subscription. Review Events for complete event type information.

You can implement either a single webhook endpoint handling multiple events or separate webhooks for specific event types, depending on your architecture preferences.

Handling webhook deliveries

Process webhook deliveries through these steps:

Create callback endpoint

Implement a publicly accessible HTTP POST endpoint at your configured callback URL to receive webhook deliveries.

Parse webhook payload

Extract the webhook event payload containing event information and JWT-encoded event data.

Validate payload authenticity

Verify JWT signatures using your tenant’s .well-known endpoint to ensure deliveries originate from Hanko and remain uncompromised.

Decode JWT token

Parse the JWT to extract event data from the token payload. Event data structures vary by event type - see Event types and token payloads.

Process event data

Handle the extracted event data according to your application’s specific requirements.

Example (Javascript)

This example uses express and the jose package to parse and verify JWTs.

npm install express jose

The example assumes usage of a single HTTP endpoint for all event types but you could just as well configure multiple webhooks and use multiple HTTP endpoints.

// These are the dependencies you should have installed for
// this example.
const express = require('express');
const { createRemoteJWKSet, jwtVerify } = require('jose');

const app = express();

// Middleware for parsing requests with a JSON payload.
app.use(express.json());

// Step 1: This defines a POST endpoint at the `/webhook` path.
// This path should match the path portion of the URL that you
// specified for the callback URL when you created the webhook.
// Once you edit a webhook by updating the callback URL of your
// webhook, you should change this to match the path portion of
// the updated URL for your webhook.
app.post('/webhook', async (req, res) => {
    // Step 2: Extract the event and token from the request body.
    // You could use the event type to branch and apply
    // logic/code for specific event types.
    // This example assumes one endpoint for all event types so
    // extracting the `event` property may lead to an unused
    // variable.
    const { event, token } = req.body;

    try {
        // This would likely come from your environment/config.
        // You can always find your tenant ID on the dashboard
        // for your project in the Hanko Cloud Console.
        const tenantId = 'your-tenant-id';

        // See also the API reference:
        // http://docs.hanko.io/api-reference/public/well-known/get-json-web-key-set
        const jwksUrl = `https://${tenantId}.hanko.io/.well-known/jwks.json`;

        // Step 3 + 4: Fetch the JWKS of your Hanko tenant, verify
        // the token signature using the JWKS and extract the
        // payload.
        const jwks = createRemoteJWKSet(new URL(jwksUrl));
        const { payload } = await jwtVerify(token, jwks);

        console.log('Decoded token payload:', payload);

        // Step 6: Do further processing according to your
        // application's needs.

    } catch (error) {
        console.error('Error processing the token:', error.message);
    }

    //  Your endpoint should respond with a 2XX response within 30 seconds
    //  of receiving a webhook delivery to indicate that the delivery was
    //  successfully received. If your server takes longer than that to
    //  respond, then Hanko terminates the connection and considers the
    //  delivery a failure.
    res.sendStatus(202);
});

// Start the Express server
const PORT = 3000;
app.listen(PORT, () => {
    console.log(`Server is running on http://localhost:${PORT}`);
});

Your server must return the complete certificate chain otherwise the request will fail.

Editing and removing webhooks

Manage existing webhooks through these steps:

Access webhook settings

Modify or delete webhooks

Find your webhook and click the three dots (...). Choose Edit to modify the callback URL or event subscriptions, or Delete to remove the webhook completely.

Events

Hanko offers various event types for subscription. Each event type determines the structure and content of the payload delivered to your callback URL.

Event payload

The structure of the event payload is the same across all event types. It contains the event type and the event data in the form of a JSON Web Token (JWT).

Event payload example

Event payload properties

Event types and token payloads

Events are structured hierarchically with some events subsuming the occurrence of multiple (“sub”)-events. These types of events do not actually appear as the value for the event property in the webhook event payload. Subscribing to these types of events when creating a webhook is a convenient way to group certain event types and allows you to structure your callback endpoints around these groups. A webhook’s event data is encoded as a JWT in the webhook’s callback request body. You need to parse the token to access the token’s payload which contains the actual event data (see Handling webhook deliveries for an example).

user

Subscribing to this event implies subscription to the following events: user.create, user.delete, user.login, user.udpate.email.create, user.update.email.delete, user.update.email.primary, user.update.password.update user.update.username.create, user.update.username.delete, user.update.username.update

user.create

This event is triggered when a new user is created.

'user.create' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.create' token payload properties

user.delete

This event is triggered when a user is deleted.

'user.delete' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.delete' token payload properties

This event is triggered when a user logs in.

'user.login' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.login' token payload properties

user.update

Subscribing to this event implies subscription to the following events: user.udpate.email.create, user.update.email.delete, user.update.email.primary, user.update.password.update user.update.username.create, user.update.username.delete, user.update.username.update

user.update.email

Subscribing to this event implies subscription to the following events: user.udpate.email.create, user.update.email.delete, user.update.email.primary

user.update.email.create

This event is triggered when an email is created for a user.

'user.update.email.create' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.update.email.create' token payload properties

user.update.email.delete

This event is triggered when a user’s email is deleted.

'user.update.email.delete' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.update.email.delete' token payload properties

user.update.email.primary

This event is triggered when a user’s email is set as the primary email.

'user.update.email.primary' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.update.email.primary' token payload properties

user.update.password.update

This event is triggered when a user updates their password through the profile.

'user.update.password.update' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.update.password.update' token payload properties

user.update.username

Subscribing to this event implies subscription to the following events: user.update.username.create, user.update.username.delete, user.update.username.update

user.update.username.create

This event is triggered when a username is created for a user.

'user.update.username.create' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.update.username.create' token payload properties

user.update.username.delete

This event is triggered when a user’s username is deleted.

'user.update.username.delete' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.update.username.delete' token payload properties

user.update.username.update

This event is triggered when a user’s username is updated.

'user.update.username.update' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "created_at": "2025-01-15T12:57:56.724052Z",
        "emails": [
            {
                "id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "address": "test@example.com",
                "is_verified": true,
                "is_primary": true,
                "created_at": "2025-01-15T13:57:56.72784Z",
                "updated_at": "2025-01-15T13:57:56.72801Z"
            }
        ],
        "id": "42fbd0dc-28fb-4144-892c-c2c4a0f8f5d8",
        "identities": [
            {
                "id": "b3af92c5-414c-4c6b-a3ea-82ee263badef",
                "provider_id": "123456abcd",
                "provider_name": "testprovider",
                "email_id": "d31be36d-08d7-409f-8437-1920628e6e51",
                "created_at": "2025-01-17T13:40:11Z",
                "updated_at": "2025-01-17T13:40:13Z"
            }
        ],
        "ip_address": "127.0.0.1",
        "otp": {
            "id": "a7efd1ee-d7b2-440e-9284-625e06931745",
            "created_at": "2025-01-17T13:39:29.081428Z"
        },
        "password": {
            "id": "6ec87b0c-67db-42ef-9adb-d106734bde02",
            "created_at": "2025-01-15T13:57:56.735651Z",
            "updated_at": "2025-01-15T13:57:56.735651Z"
        },
        "updated_at": "2025-01-15T13:57:56.724255Z",
        "username": {
            "id": "61580d7d-0c11-4c25-bfca-ace21a14cc01",
            "username": "testmakker",
            "created_at": "2025-01-15T14:45:00.293001Z",
            "updated_at": "2025-01-17T13:46:41.700373Z"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36",
        "webauthn_credentials": [
            {
                "id": "eaYxbrFQJjl5dW5SAr0KznEmHwAen8HUAiaKN9ijsDY",
                "public_key": "pQECAyYgASFYIMq-SVnCDGIJjK2TAJyEQyXNtOw7x_MuEVUQuW80-AOcIlggyEcR_v5C8PuhrThwgx2urmRqviIb7dyXmGr3oyWk2rU",
                "attestation_type": "packed",
                "aaguid": "70a4ab68-d027-451a-9c86-3b8fd8414f68",
                "last_used_at": "2025-01-17T12:38:28.698563Z",
                "created_at": "2025-01-17T12:38:28.698563Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": true
            },
            {
                "id": "BPtYkS1prrGu1owU3StJwWM5uYtVoD1-h4N_rPHrB84",
                "public_key": "pQECAyYgASFYILo4i3yC0V2kciBHL96EOx08h32CXXIFnuUmggHOhkGvIlggQFIp4CeJhzGpCiTNuQQoyiKV7oMLYxM549ctLJXJkZ0",
                "attestation_type": "packed",
                "aaguid": "649b9062-5892-4223-832b-921c5bce5827",
                "last_used_at": "2025-01-17T12:39:06.718171Z",
                "created_at": "2025-01-17T12:39:06.718171Z",
                "transports": [
                    "usb"
                ],
                "backup_eligible": false,
                "backup_state": false,
                "mfa_only": false
            }
        ]
    },
    "evt": "<string>", // the corresponding event type
    "exp": 1737118303,
    "iat": 1737118003,
    "sub": "hanko webhooks"
}

'user.update.username.update' token payload properties

email.send

This event is triggered when an email is sent. Subscribe to this event if you want to send customized emails instead of emails based on built-in templates. See Custom Emails for more information.

'email.send' token payload example

{
    "aud": [
        "Test Service ABC"
    ],
    "data": {
        "subject": "Use passcode 325139 to verify your email address",
        "body_plain": "Enter the following passcode to verify your email address:\n\n325139\n\nThe passcode is valid for 5 minutes.",
        "to_email_address": "test@example.com",
        "delivered_by_hanko": false,
        "language": "en",
        "type": "passcode",
        "data": {
            "service_name": "Test Service ABC",
            "otp_code": "325139",
            "ttl": 300,
            "valid_until": 1737128997
        }
    },
    "evt": "email.send",
    "exp": 1737128997,
    "iat": 1737128697,
    "sub": "hanko webhooks"
}

'email.send' token payload properties

Getting started

Guides

Using the Hanko API

Integrations

Resources

FAQ & support

Using Hanko webhooks

About webhooks

Creating webhooks

Handling webhook deliveries

Editing and removing webhooks

Events

Event payload

Event types and token payloads

user

user.create

user.delete

user.update

user.update.email

user.update.email.create

user.update.email.delete

user.update.email.primary

user.update.password.update

user.update.username

user.update.username.create

user.update.username.delete

user.update.username.update

email.send

Getting started

Guides

Using the Hanko API

Integrations

Resources

FAQ & support

​About webhooks

​Creating webhooks

​Handling webhook deliveries

​Editing and removing webhooks

​Events

​Event payload

​Event types and token payloads

​user

​user.create

​user.delete

​user.login

​user.update

​user.update.email

​user.update.email.create

​user.update.email.delete

​user.update.email.primary

​user.update.password.update

​user.update.username

​user.update.username.create

​user.update.username.delete

​user.update.username.update

​email.send

About webhooks

Creating webhooks

Handling webhook deliveries

Editing and removing webhooks

Events

Event payload

Event types and token payloads

user

user.create

user.delete

user.login

user.update

user.update.email

user.update.email.create

user.update.email.delete

user.update.email.primary

user.update.password.update

user.update.username

user.update.username.create

user.update.username.delete

user.update.username.update

email.send