Callback API (WebHooks)
External systems that integrate with the PowerAuth Cloud components can obtain status about registration and operation change by polling the appropriate API resources. However, this may either put unnecessary performance burden on our systems when the polling is too frequent, or provide sub-optimal user experience when the polling is occasional.
To provide an instant notification about changes in our systems, PowerAuth Cloud can notify your systems via a callback (sometimes called “webhooks”) whenever registration or operation changes.
Callback Authentication
Callbacks support following authentication methods:
- HTTP Basic Authentication - Authentication using username and password.
- Certificate Authentication (mTLS) - Authentication using a client certificate with a custom keystore and truststore (i.e., JKS).
- OAuth2 Authentication - Authentication using OAuth 2.0 client credentials grant type.
When using mTLS certificate authentication, make sure to map a volume with your keystore and truststore files to the running container volumes, so that the application can access the files on a specified location.
Callback Types
There are two callback types:
- Operation Callbacks - Called whenever operation status changes.
- Registration Callbacks - Called whenever registration status changes.
The callback type is distinguished by the type
discriminator value in the root of the JSON payload, which is either set to the OPERATION_STATUS_CHANGE
value (for operation callbacks) or REGISTRATION_STATUS_CHANGE
value (for registration callbacks).
It is possible to customize which of the data fields are sent in the callback payload. For operation callbacks, only type
and operationId
are mandatory fields in the callback. For registration callbacks, the type
and activationId
are mandatory.
Operation Callbacks
{
"type": "OPERATION_STATUS_CHANGE",
"operationId": "$OPERATION_ID",
"userId": "$USER_ID",
"applications": "[$APPLICATION_ID1, ... , $APPLICATION_ID1]",
"operationType": "$OPERATION_TYPE",
"parameters": {
"key1": "$VAL1",
"key2": "$VAL2"
},
"additionalData": {
"activationId": "$ACTIVATION_ID",
"ipAddress": "172.168.240.48",
"userAgent": "PowerAuthNetworking/1.3.0 (en; wifi) com.wultra.app.MobileToken/2.0.0 (Apple; iOS/17.3.1; iphone16,1)",
"device": {
"networkVersion": "1.3.0",
"language": "en",
"connection": "wifi",
"product": "com.wultra.app.MobileToken",
"version": "2.0.0",
"platform": "Apple",
"os": "iOS",
"osVersion": "17.3.1",
"model": "iphone16,1"
}
},
"activationFlag": "MTOKEN",
"status": "$STATUS",
"data": "$OPERATION_DATA",
"failureCount": 0,
"maxFailureCount": 5,
"signatureType": "$SIGNATURE_TYPE",
"externalId": "$EXTERNAL_ID",
"timestampCreated": "$TIMESTAMP_CREATED",
"timestampExpires": "$TIMESTAMP_EXPIRES",
"timestampFinalized": "$TIMESTAMP_FINALIZED"
}
The operation callback can contain the following attributes, which can be customized via the Admin API.
Field | Type | Description |
---|---|---|
type |
Enum |
Discriminator, uses OPERATION_STATUS_CHANGE value for operation callbacks |
operationId |
UDID |
Operation ID |
userId |
String |
User ID |
applications |
String[] |
Array of Application ID the operation is created for (there could be multiple IDs if user has multiple registration of multiple Applications) |
operation_type |
String |
Type of the operation, i.e., login or authorize_payment |
parameters |
Map<String, String> |
Key-value map with operation parameters |
additionalData |
Map<String, Object> |
Additional data stored within the operation, such as activation identifier used for approving the operation or information about the device relevant to the operation |
activationFlag |
String |
Activation flag used for a operation creation |
status |
Enum |
Operation status, one of PENDING , CANCELED , EXPIRED , APPROVED , REJECTED or FAILED . |
data |
String |
Data used for signature |
failureCount |
Int |
Counter indicating how many times did the operation failed |
maxFailureCount |
Int |
Maximum value of allowed failures |
signatureType |
String |
Allowed signature types for given operation |
externalId |
String |
External operation ID (for identification in third-party systems) |
timestampCreated |
DateTime |
Timestamp when the operation was created |
timestampExpires |
DateTime |
Timestamp of when the operation expires |
timestampFinalized |
DateTime |
Timestamp when the operation reached a final state, i.e., when was confirmed. |
Registration Callbacks
{
"type": "REGISTRATION_STATUS_CHANGE",
"activationId": "$ACTIVATION_ID",
"userId": "$USER_ID",
"activationName": "$ACTIVATION_NAME",
"deviceInfo": "$DEVICE_INFO",
"platform": "$PLATFORM",
"protocol": "$PROTOCOL",
"activationFlags": [
"$ACTIVATION_FLAGS"
],
"activationStatus": "$ACTIVATION_STATUS",
"blockedReason": "$BLOCKED_REASON",
"applicationId": "$APPLICATION_ID"
}
The registration callback can contain the following attributes, which can be customized via the Admin API.
Field | Type | Description |
---|---|---|
type |
Enum |
Discriminator, uses REGISTRATION_STATUS_CHANGE value for registration callbacks |
activationId |
UDID |
Registration ID (internally, called “activation”) |
userId |
String |
User ID |
activationName |
String |
Displayable name of the registration |
deviceInfo |
String |
Basic information about the device model |
platform |
String |
Basic information about the platform (iOS, Android) |
protocol |
String |
Authenticator protocol (powerauth, fido) |
activationFlags |
String[] |
Freeform flags assigned to the registration |
activationStatus |
Enum |
Registration status, one of CREATED , PENDING_COMMIT , ACTIVE , BLOCKED or REMOVED |
blockedReason |
String |
If the registration is blocked, the field contains a blocking reason info |
applicationId |
String |
Application ID |
additionalData |
Object |
The registration’s custom attributes set through a private API in a free JSON structure |
Callbacks Configuration
Since version 1.7.0 the callbacks can be configured via Admin API .
When creating or updating the callback, you may specify the parameter attributes
, which is a JSON array of strings.
This parameter defines which attributes will be included in the callback payload.
If the attributes
parameter is not specified, the default set of attributes is used.
An operation callback can contain the following values:
userId
applications
operationType
parameters
additionalData
activationFlag
status
data
failureCount
maxFailureCount
signatureType
externalId
timestampCreated
timestampExpires
timestampFinalized
A registration callback can contain the following values:
userId
activationName
deviceInfo
platform
protocol
activationFlags
activationStatus
blockedReason
applicationId
For details, see Registration Callbacks and Operation Callbacks.
Database Configuration
Database callbacks configuration is stored in table pa_application_callback
.
Example of operation callback with multiple attributes and enabled basic HTTP authorization.
INSERT INTO pa_application_callback (id,
application_id,
name,
type,
authentication,
callback_url,
attributes)
VALUES (uuid_generate_v4(),
1,
'operation-callback',
'OPERATION_STATUS_CHANGE',
'{
"certificate" : null,
"httpBasic" : {
"enabled": true,
"username": "basic_http_username",
"password": "basic_http_password"
}
}',
'http://localhost:8080/your_app/operation/status/update',
'[ "userId", "applications", "operationType",
"parameters", "additionalData", "activationFlag", "status",
"data", "failureCount", "maxFailureCount", "signatureType",
"externalId", "timestampCreated", "timestampExpires", "timestampFinalized"]');