Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ofauth.com/llms.txt

Use this file to discover all available pages before exploring further.

System Webhook Events deliver webhook notifications to your server when connections change or Dynamic Rules updates are available. Use them to react immediately without polling.

Quick Reference

TypeDeliveryPurpose
Connection eventsWebhookTrack connection creation, updates, and expiry
System eventsWebhookGet notified when Dynamic Rules change

Configuration

Configure System Webhook Events in the OFAuth Dashboard:
  • Set your webhook endpoint URL
  • Choose which events to subscribe to
  • Review delivery history and failures

Connections Guide

Learn how to store and manage connection IDs

Error Handling

Handle delivery failures and retries

Event References

Connection Events

connection.created, connection.updated, and connection.expired

System Events

rules.updated and Dynamic Rules change notifications

Delivery & Retries

  • Retry policy: exponential backoff with up to 5 attempts
  • Timeout: 10 seconds per request
  • Ordering: in-order delivery per connection ID
Your endpoint should return a 2xx response within 10 seconds.

Signature Verification

Every System Webhook Events delivery includes an OFAuth-Signature header: 
OFAuth-Signature: t=1234567890,v1=abc123...
Verify requests by:
  1. Extracting the timestamp (t) and signature (v1)
  2. Rejecting requests older than 5 minutes
  3. Computing an HMAC-SHA256 of {timestamp}.{raw_body} using your signing secret
  4. Comparing the expected signature with a constant-time comparison

Implementation Checklist

  1. Parse the application/json body
  2. Verify the signature before processing
  3. Route the event by type
  4. Return 2xx within 10 seconds
  5. Make handlers idempotent by storing processed event IDs

Troubleshooting

Ensure your endpoint is publicly reachable and returns a 2xx response within 10 seconds.
Verify the endpoint URL and selected subscriptions in the Dashboard.
Use the raw request body, not the parsed JSON body, and confirm the signing secret matches your Dashboard configuration.

Next Steps

Connection Events

Connection lifecycle payloads and examples

System Events

rules.updated deliveries and Dynamic Rules guidance