Zalt/docs
Dashboard
Back to docs

Webhooks

Receive real-time notifications for authentication events.

Available Events

user.createdNew user registered
user.updatedUser profile updated
user.deletedUser account deleted
session.createdUser logged in
session.revokedSession terminated
mfa.enabledMFA enabled for user
mfa.disabledMFA disabled for user
password.changedPassword changed
password.resetPassword reset requested

Webhook Payload

{
  "id": "evt_abc123",
  "type": "user.created",
  "timestamp": "2026-01-25T10:00:00Z",
  "realmId": "realm_xyz",
  "data": {
    "userId": "user_123",
    "email": "user@example.com",
    "profile": {
      "firstName": "John",
      "lastName": "Doe"
    }
  }
}

Signature Verification

All webhooks are signed with HMAC-SHA256. Verify the signature to ensure authenticity:

import crypto from 'crypto';

function verifyWebhook(payload: string, signature: string, secret: string) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler
app.post('/webhooks/zalt', (req, res) => {
  const signature = req.headers['x-zalt-signature'];
  
  if (!verifyWebhook(req.rawBody, signature, WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook...
});

Retry Policy

  • Webhooks are retried up to 5 times
  • Exponential backoff: 1min, 5min, 30min, 2hr, 24hr
  • Respond with 2xx within 30 seconds