Webhook event cards

Webhooks are a way for different online services or applications to communicate with each other in near-real time. They allow an application to send data to another application when a specific event occurs. This mechanism is commonly used to automate processes and keep different systems in sync without the need for constant manual intervention.

Here's how webhooks generally work:

  • Set up the webhook: The receiving application (the webhook consumer) sets up a webhook with an endpoint URL that listens for incoming webhook payloads from the sending application (the webhook provider).

    As an Okta administrator, you might set up a webhook to receive notifications when events happen in the Okta platform. This event could be, for example, a new user creation, an authentication event, or a password reset.

    Alternatively, you can configure your webhook to work with a third-party application to notify you of external changes, so you can update details within your Okta org.

  • Webhook registration and deregistration are key concepts in the setup and management of webhooks. These processes involve enabling and disabling the communication channel between two applications through webhooks.

    Webhook registration: To establish a webhook, you need to register an endpoint URL with the provider. This location is where your receiving application listens for incoming data.

    Here's how the webhook registration process typically works:

    • Endpoint URL registration: The receiving application (the webhook consumer) provides an endpoint URL. This is the URL that listens for incoming webhook payloads from the sending application (webhook provider).

    • Subscribe to events: The webhook provider, which could be an external application or a service like Okta, allows you to subscribe to specific events. For example, user creation or deactivation, a sign in attempt, or other types of events relevant to the provider's functionality.

    • Payload configuration: During webhook registration, you can configure the payload format and content. This includes specifying what data the webhook provider needs to include in the payload when an event occurs.

    • Confirmation or verification: Some webhook systems require a verification step to ensure that the provided endpoint URL is valid and under your control. This may involve the webhook provider sending a verification token to your endpoint that requires a response to complete validation.

    • Activation: After successful registration, the active webhook is ready to receive event notifications. When specified events occur, the provider sends payloads containing relevant data to your registered endpoint URL.

  • An event trigger: When a specific event occurs on the provider platform, the provider generates a payload containing relevant information about the event.

  • Payload delivery: The webhook provider then sends an HTTP POST request containing the payload with event details to the URL that you registered. The data is typically sent in JSON format.

  • Handling the payload: The receiving application's server processes the incoming POST request. It parses the JSON payload and performs actions based on the event data. This could involve updating a database, sending notifications, or triggering some other business logic.

    When handling payloads, there are two aspects of webhooks to keep in mind:

    • Request aggregation: Incoming payloads can be received as individual items, or as a collected batch of items.

    • Process batched requests: For incoming payloads arriving as a collected batch, the webhook event flow can process each item individually or handle the entire batch as a single item.

  • Response and acknowledgment: After the receiving application has processed the payload, it sends an HTTP response back to the provider. This response indicates whether the receiver successfully received and processed the payload.

  • Retry mechanism: Sometimes, due to network issues or other reasons, the webhook delivery might fail. To ensure reliability, many webhook systems implement a retry mechanism. If the initial delivery attempt fails, the system makes extra attempts to deliver the payload.

  • Webhook deregistration: If you no longer need to receive certain event notifications, or if you're switching to a different endpoint, or decommissioning the webhook altogether, you need to deregister the previously established webhook connection.

    Here's how the webhook deregistration process typically works:

    • Endpoint URL removal: To deregister a webhook, you typically inform the webhook provider to stop sending payloads to a specific endpoint URL.

    • Unsubscribe from events: Similar to registration, you might need to specify which events you want to unsubscribe from. This ensures that you no longer receive event notifications for those events.

    • Deactivation: Once you've successfully deregistered from the events at the provider, you deactivate the webhook for your endpoint URL. You'll no longer receive event payloads.

Webhooks involve exchanging data over the internet, so security is crucial. Implementing proper authentication and authorization mechanisms, such as API keys or tokens, helps ensure that only authorized parties can send or receive webhook data.

Overall, webhooks provide a way for different systems to stay connected and respond to events in near-real time, enabling efficient automation and integration between applications.

Related topics

Build a webhook event flow

Register a webhook event

Deregister a webhook event