Event catalogue
Complete reference for every webhook event type emitted by the Wocha platform
Complete reference for every webhook event type emitted by the Wocha platform. These events are persisted to the Events API and delivered to registered webhook subscribers.
Envelope format
Every webhook delivery uses the same top-level envelope:
| Field | Type | Description |
|---|---|---|
event_type | string | Canonical event identifier (see table below) |
event_id | string | Unique UUID for this delivery |
timestamp | string | ISO 8601 timestamp included in the HMAC signature |
idempotency_key | string | UUID for subscriber-side deduplication |
data | object | Event-specific payload (documented per event) |
Request headers
Legacy event names
Some internal dispatch paths still emit legacy names. The Events API normalizes these automatically:
| Legacy name | Canonical name |
|---|---|
org.created | organisation.created |
org.updated | organisation.updated |
org.deleted | organisation.deleted |
org.member.added | organisation.member_added |
org.member.removed | organisation.member_removed |
org.member.updated | organisation.member_updated |
org.member.default_roles_applied | organisation.member_default_roles_applied |
Webhook subscribers may receive either form depending on the emitting code path. Treat both as equivalent.
User events
user.created
Description: A new identity was registered in the tenant.
When it fires:
- Self-service registration completes (Kratos post-registration hook)
- An admin creates a user via the Management API
- SCIM or bulk import provisions a new identity
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Identity ID (identity_id in some dispatch paths) |
data.email | string | yes | Primary email address |
data.name | string | no | Display name or { first, last } object |
data.org_id | string | no | Organisation the user was assigned to at creation |
data.created_at | string | yes | ISO 8601 creation timestamp |
user.updated
Description: User traits, metadata, or account state changed.
When it fires:
- Profile fields are edited in Console or via API
- Account state transitions (e.g.
active→suspended) - Email or name traits are updated
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Identity ID |
data.email | string | no | Updated email (if changed) |
data.name | string | no | Updated display name |
data.state | string | no | Account state (active, suspended, etc.) |
data.updated_at | string | yes | ISO 8601 update timestamp |
user.deleted
Description: An identity was permanently removed from the tenant.
When it fires:
- Admin deletes a user via Console or Management API
- SCIM deprovisioning removes the identity
- GDPR erasure workflow completes
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Deleted identity ID |
data.deleted_at | string | yes | ISO 8601 deletion timestamp |
Session events
session.created
Description: A new authenticated session was issued.
When it fires:
- User completes sign-in (password, social, SSO, or passkey)
- Token refresh creates a new session record (if configured)
- Machine-to-machine token exchange issues a session
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Session ID |
data.identity_id | string | yes | Identity that owns the session |
data.authenticated_at | string | yes | ISO 8601 authentication timestamp |
data.expires_at | string | yes | ISO 8601 session expiry |
data.aal | string | yes | Authenticator assurance level (aal1, aal2) |
data.org_id | string | no | Active organisation context |
session.revoked
Description: A session was terminated before its natural expiry.
When it fires:
- User signs out
- Admin revokes a session via Console or API
- Security policy forces session invalidation
- Password reset or account suspension revokes active sessions
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Revoked session ID |
data.identity_id | string | yes | Identity that owned the session |
data.revoked_at | string | yes | ISO 8601 revocation timestamp |
data.reason | string | no | Revocation reason (user_logout, admin_revoke, policy) |
Organisation events
organisation.created
Description: A new organisation was created in the tenant hierarchy.
When it fires:
- Admin creates an organisation via Console or Management API
- Self-service org signup completes
- Parent org provisions a child organisation
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Organisation ID |
data.slug | string | yes | URL-safe identifier |
data.display_name | string | yes | Human-readable name |
data.parent_id | string | no | Parent organisation ID (for nested hierarchies) |
data.created_at | string | yes | ISO 8601 creation timestamp |
organisation.updated
Description: Organisation metadata or configuration changed.
When it fires:
- Display name or slug is updated
- Organisation settings are modified via Console or API
- Branding or metadata fields change
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Organisation ID |
data.slug | string | no | Updated slug (if changed) |
data.display_name | string | no | Updated display name |
data.updated_at | string | yes | ISO 8601 update timestamp |
organisation.deleted
Description: An organisation was permanently removed.
When it fires:
- Admin deletes an organisation via Console or Management API
- Tenant cleanup removes an empty organisation
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Deleted organisation ID |
data.deleted_at | string | yes | ISO 8601 deletion timestamp |
organisation.member_added
Description: A user was added to an organisation with a role.
When it fires:
- Admin invites or adds a member via Console or API
- SCIM group sync adds a user to an organisation
- Self-service join flow completes
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.org_id | string | yes | Organisation ID |
data.identity_id | string | yes | Added member's identity ID |
data.role | string | yes | Assigned role (owner, admin, member) |
data.added_at | string | yes | ISO 8601 timestamp |
organisation.member_removed
Description: A user was removed from an organisation.
When it fires:
- Admin removes a member via Console or API
- SCIM deprovisioning removes group membership
- User leaves an organisation voluntarily
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.org_id | string | yes | Organisation ID |
data.identity_id | string | yes | Removed member's identity ID |
data.removed_at | string | yes | ISO 8601 timestamp |
organisation.member_updated
Description: A member's role or permissions within an organisation changed.
When it fires:
- Admin changes a member's role via Console or API
- SCIM group sync updates role assignment
- Default roles are applied after org creation
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.org_id | string | yes | Organisation ID |
data.identity_id | string | yes | Member's identity ID |
data.role | string | yes | New role |
data.previous_role | string | no | Previous role (if known) |
data.updated_at | string | yes | ISO 8601 timestamp |
organisation.member_default_roles_applied
Description: Default roles were applied to an organisation member after join or provisioning.
When it fires:
- A new member is added and tenant default role policy runs
- SCIM provisioning applies configured default roles
- Admin invite acceptance triggers default role assignment
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.org_id | string | yes | Organisation ID |
data.identity_id | string | yes | Member's identity ID |
data.roles | string[] | yes | Roles that were applied |
data.applied_at | string | yes | ISO 8601 timestamp |
Connection events
connection.created
Description: A social, enterprise SSO, or SCIM connection was added to the tenant.
When it fires:
- Admin configures a new OIDC/SAML connection
- Social login provider is enabled
- SCIM provisioning endpoint is registered
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Connection ID |
data.type | string | yes | Connection type (oidc, saml, social, scim) |
data.provider | string | yes | Provider identifier (okta, google, github, etc.) |
data.created_at | string | yes | ISO 8601 creation timestamp |
connection.activated
Description: A connection was enabled and is now available for authentication.
When it fires:
- Admin toggles a connection to active
- Domain verification completes for an enterprise connection
- Connection health check passes after initial setup
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Connection ID |
data.type | string | yes | Connection type |
data.provider | string | yes | Provider identifier |
data.activated_at | string | yes | ISO 8601 activation timestamp |
connection.deactivated
Description: A connection was disabled and is no longer available for authentication.
When it fires:
- Admin disables a connection via Console or API
- Automated health monitoring marks a connection unhealthy
- Provider certificate expiry triggers deactivation
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Connection ID |
data.type | string | yes | Connection type |
data.provider | string | yes | Provider identifier |
data.deactivated_at | string | yes | ISO 8601 deactivation timestamp |
data.reason | string | no | Deactivation reason |
Application events
application.created
Description: A new OAuth client application was registered.
When it fires:
- Admin creates an application via Console or Management API
- CLI auto-provisioning creates an OAuth app during
wocha init - Terraform provider creates an application resource
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Application ID |
data.client_id | string | yes | OAuth client ID |
data.client_name | string | yes | Human-readable application name |
data.created_at | string | yes | ISO 8601 creation timestamp |
application.updated
Description: OAuth application configuration changed.
When it fires:
- Redirect URIs, grant types, or scopes are modified
- Application name or metadata is updated
- Token endpoint auth method changes
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Application ID |
data.client_id | string | yes | OAuth client ID |
data.client_name | string | no | Updated application name |
data.updated_at | string | yes | ISO 8601 update timestamp |
application.deleted
Description: An OAuth client application was permanently removed.
When it fires:
- Admin deletes an application via Console or Management API
- Terraform destroy removes an application resource
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Deleted application ID |
data.client_id | string | yes | OAuth client ID |
data.deleted_at | string | yes | ISO 8601 deletion timestamp |
API key events
api_key.created
Description: A new Management API key was created.
When it fires:
- Admin creates an API key via Console or Management API
- Terraform
wocha_api_keyresource is created - CLI auto-provisioning generates a key during setup
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | API key ID |
data.name | string | yes | Human-readable key name |
data.prefix | string | yes | Key prefix (secret is never included) |
data.scopes | string[] | no | Granted scopes |
data.environment_id | string | no | Environment scope, if any |
data.created_at | string | yes | ISO 8601 creation timestamp |
api_key.rotated
Description: An API key was rotated — a new key replaces the old one.
When it fires:
- Admin rotates a key via Console or Management API
- Scheduled rotation policy executes
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | New API key ID |
data.previous_id | string | yes | Previous key ID (now revoked) |
data.name | string | yes | Key name |
data.prefix | string | yes | New key prefix |
data.rotated_at | string | yes | ISO 8601 rotation timestamp |
api_key.revoked
Description: An API key was permanently revoked.
When it fires:
- Admin revokes a key via Console or Management API
- Key rotation retires the previous key
- Security policy disables a compromised key
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Revoked API key ID |
data.name | string | no | Key name |
data.revoked_at | string | yes | ISO 8601 revocation timestamp |
data.reason | string | no | Revocation reason (rotation, admin_revoke, policy) |
Environment events
environment.created
Description: A new environment was created for config isolation (e.g. staging, production).
When it fires:
- Admin creates an environment via Console or Management API
- Terraform or CLI provisioning creates a default environment
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Environment ID |
data.name | string | yes | Display name |
data.slug | string | yes | URL-safe identifier |
data.created_at | string | yes | ISO 8601 creation timestamp |
environment.updated
Description: Environment metadata or configuration changed.
When it fires:
- Display name or slug is updated via Console or API
- Environment settings are modified
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Environment ID |
data.name | string | no | Updated display name |
data.slug | string | no | Updated slug |
data.updated_at | string | yes | ISO 8601 update timestamp |
environment.deleted
Description: An environment was permanently removed.
When it fires:
- Admin deletes an environment via Console or Management API
- Tenant cleanup removes an unused environment
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Deleted environment ID |
data.deleted_at | string | yes | ISO 8601 deletion timestamp |
environment.promoted
Description: Configuration was promoted from one environment to another.
When it fires:
- Admin promotes staging config to production via Console or Management API
- CI/CD pipeline triggers an environment promotion
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.source_environment_id | string | yes | Source environment ID |
data.target_environment_id | string | yes | Target environment ID |
data.promoted_at | string | yes | ISO 8601 promotion timestamp |
data.resources | string[] | no | Resource types included in the promotion |
Feature flag events
feature_flag.created
Description: A new feature flag was created.
When it fires:
- Admin creates a flag via Console or Management API
- Terraform or config sync provisions a new flag
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Feature flag ID |
data.key | string | yes | Flag key used in evaluation |
data.name | string | yes | Human-readable name |
data.enabled | boolean | yes | Default enabled state |
data.created_at | string | yes | ISO 8601 creation timestamp |
feature_flag.updated
Description: Feature flag configuration or overrides changed.
When it fires:
- Flag default value or targeting rules are updated
- Per-organisation or per-user overrides are added or modified
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Feature flag ID |
data.key | string | yes | Flag key |
data.enabled | boolean | no | Updated default enabled state |
data.updated_at | string | yes | ISO 8601 update timestamp |
feature_flag.deleted
Description: A feature flag was permanently removed.
When it fires:
- Admin deletes a flag via Console or Management API
- Config cleanup removes an unused flag
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Deleted feature flag ID |
data.key | string | yes | Flag key |
data.deleted_at | string | yes | ISO 8601 deletion timestamp |
Tenant events
tenant.signup
Description: A new tenant signed up for Wocha Cloud.
When it fires:
- Self-service signup completes on wocha.ai
- Sales-assisted onboarding creates a pending tenant record
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.tenant_id | string | yes | Tenant ID |
data.slug | string | yes | Tenant slug |
data.email | string | yes | Primary admin email |
data.signed_up_at | string | yes | ISO 8601 signup timestamp |
tenant.provisioned
Description: A tenant was fully provisioned and activated.
When it fires:
- Schema provisioning and default config seeding complete
- Tenant transitions from pending to active status
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.tenant_id | string | yes | Tenant ID |
data.slug | string | yes | Tenant slug |
data.provisioned_at | string | yes | ISO 8601 provisioning timestamp |
Product events
product.registered
Description: A product was registered for a tenant.
When it fires:
- Admin registers a product via Console or Management API
- Onboarding flow creates the initial product record for billing and entitlements
Example payload:
Available fields:
| Field | Type | Required | Description |
|---|---|---|---|
data.id | string | yes | Product ID |
data.name | string | yes | Product name |
data.slug | string | yes | URL-safe identifier |
data.registered_at | string | yes | ISO 8601 registration timestamp |
Quick reference
| Event type | Category |
|---|---|
user.created | User |
user.updated | User |
user.deleted | User |
session.created | Session |
session.revoked | Session |
organisation.created | Organisation |
organisation.updated | Organisation |
organisation.deleted | Organisation |
organisation.member_added | Organisation |
organisation.member_removed | Organisation |
organisation.member_updated | Organisation |
connection.created | Connection |
connection.activated | Connection |
connection.deactivated | Connection |
application.created | Application |
application.updated | Application |
application.deleted | Application |
organisation.member_default_roles_applied | Organisation |
api_key.created | API key |
api_key.rotated | API key |
api_key.revoked | API key |
environment.created | Environment |
environment.updated | Environment |
environment.deleted | Environment |
environment.promoted | Environment |
feature_flag.created | Feature flag |
feature_flag.updated | Feature flag |
feature_flag.deleted | Feature flag |
tenant.signup | Tenant |
tenant.provisioned | Tenant |
product.registered | Product |
Related
- Webhook integration guide
- Handler examples
wocha webhook listen— local development receiver- Agent skill: wocha-webhooks