Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.authsignal.com/llms.txt

Use this file to discover all available pages before exploring further.

The Action verification webhook can be used to add additional synchronous logic in challenge verification workflows.

Delivery behavior

Webhooks expect a 200 OK response for successful requests. The action verification webhook is synchronous. It is invoked when an action is about to transition to CHALLENGE_SUCCEEDED. A non-200 response or a timeout is treated as an error. The user can retry by re-running the verification. There are no automatic retries.

Configuration

To configure a webhook URL for the action verification event, set verificationWebhookUrl on the relevant action configuration in the Authsignal Portal or via the Create Action Configuration and Update Action Configuration Management API endpoints.

Verifying webhook events

It is critical to verify that incoming requests to your webhook have been sent by Authsignal and to reject any unauthorized requests. The recommended approach to verify webhook events is to use an Authsignal Server SDK to handle the incoming request. 
const authsignal = new Authsignal({ apiSecretKey: "YOUR_SERVER_API_SECRET_KEY" });

// Obtain raw request body and signature header
// For example using Express (https://expressjs.com/)
const payload = req.body;
const sig = req.headers["X-Signature-V2"];

const event = authsignal.webhook.constructEvent(payload, sig);
By passing the raw request body along with the X-Signature-V2 header to the SDK, it will verify that the request is valid and construct the event to be handled.
The Authsignal SDK requires the raw body of the request to verify the signature. If you’re using a framework, make sure it doesn’t manipulate the raw body as this will cause the signature verification to fail.

Event metadata

id
string
required
A unique identifier for the event.
source
string
required
The source of the event. This is always https://authsignal.com.
time
string
required
The time the event was created in ISO 8601 format.
type
string
required
The type of the event. Each type has a different schema for the data field.
version
string
required
The version of the event.
tenantId
string
required
The ID of the tenant that the event is intended for.
data
object
required
The event-specific data. See below for the schema of the data field for each event type.

Event schema

Action verify

userId
string
required
The ID of the user that the action belongs to.
action
string
required
The action code for the action that is about to succeed.
idempotencyKey
string
required
The idempotency key of the action that triggered the webhook.
verifiedAt
string
required
The time the verification completed in ISO 8601 format.
state
string
required
The pending action state. For action.verify this is always CHALLENGE_SUCCEEDED.
verificationMethod
string
required
The verification method that completed the challenge.
userAuthenticatorId
string
The ID of the user authenticator that completed the challenge, when available.
type: action.verify
{
  "version": 1,
  "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
  "source": "https://authsignal.com",
  "time": "2024-01-01T01:23:45.678Z",
  "tenantId": "dddddddd-dddd-dddd-dddd-dddddddddddd",
  "type": "action.verify",
  "data": {
    "userId": "11111111-1111-1111-1111-111111111111",
    "verificationMethod": "PUSH",
    "action": "signIn",
    "idempotencyKey": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "verifiedAt": "2024-01-01T01:23:45.678Z",
    "state": "CHALLENGE_SUCCEEDED",
    "userAuthenticatorId": "cccccccc-cccc-cccc-cccc-cccccccccccc"
  }
}

IP address allow-listing

Authsignal will send webhooks originating from the following IP addresses:
RegionIP Addresses
US (Oregon)44.224.97.232
44.230.210.235
44.236.208.22
52.33.85.88
AU (Sydney)13.210.81.243
3.105.80.107
54.252.129.142
EU (Dublin)34.247.148.106
34.253.116.90
54.171.116.55
CA (Montreal)16.52.98.180
16.54.49.43
16.54.18.28