Event model
Treat webhook payloads as immutable event facts with stable identifiers.
Baseline payload shape
{
"id": "evt_01J...",
"type": "session.created",
"occurredAt": "2026-03-05T10:15:30Z",
"workspaceId": "wrk_...",
"projectId": "prj_...",
"environment": "test",
"data": {}
}
data contains the raw domain payload for that event type. The public customer contract does not wrap it again under nested event, projectId, or tenantId producer-specific envelopes.
Event groups
user.*profile.*membership.*invitation.*role.*session.*identity.*security.*application.*domain.*webhook.endpoint.*
Delivery guarantees
- At-least-once delivery
- Retries on non-
2xxresponses - Signed payloads with replay defense
Consumer requirements
- Verify signature before parsing.
- Deduplicate by event ID.
- Process idempotently.
- Return
2xxonly after durable acceptance.
Operational fields to log
- event ID
- workspace/project scope
- processing outcome
- retry count
Related docs
- Webhook signature verification:
/docs/reference/webhook-signatures - Webhooks quickstart:
/docs/quickstart/webhooks