Webhooks
Webhooks allow Kotha Auth to push real-time events securely to your backend application.
Available Events
| Event Name | Description |
|---|---|
session.created | Fired whenever an access token is successfully issued. |
user.created | Fired when a brand new user registers through the Kotha Auth portal. |
Signature Verification
All webhook requests are sent via HTTP POST with a SHA-256 HMAC signature in the X-Kotha-Signature header. Validate this payload to ensure security:
const crypto = require('crypto');
function verifyWebhook(req, secret) {
const signature = req.headers['x-kotha-signature'].replace('sha256=', '');
const computed = crypto
.createHmac('sha256', secret)
.update(JSON.stringify(req.body))
.digest('hex');
return signature === computed;
}