Select release
Introduction

Home

Installation

Configuration

Console Installation and Configuration

Integration

Migration Instructions

API Reference

General Principles

Admin API

Audit API

Authentication API

Passkeys API

Communication API

Operations API

Registrations API

Reference

Callbacks API (Webhooks)

Configuration Properties

Console Configuration Properties

Database Structure

Internal Architecture

Additional Topics

Database Setup for PostgreSQL

Database Setup for Oracle

Database Setup for MSSQL

Examples

Examples of Operation Types

Callback API (WebHooks)

View product develop

External systems that integrate with the PowerAuth Cloud components can obtain status about registration and operation change by polling the appropriate API resources. However, this may either put unnecessary performance burden on our systems when the polling is too frequent, or provide sub-optimal user experience when the polling is occasional.

To provide an instant notification about changes in our systems, PowerAuth Cloud can notify your systems via a callback (sometimes called “webhooks”) whenever registration or operation changes.

Callback Authentication

Callbacks support following authentication methods:

  • HTTP Basic Authentication - Authentication using username and password.
  • Certificate Authentication (mTLS) - Authentication using a client certificate with a custom keystore and truststore (i.e., JKS).
  • OAuth2 Authentication - Authentication using OAuth 2.0 client credentials grant type.

When using mTLS certificate authentication, make sure to map a volume with your keystore and truststore files to the running container volumes, so that the application can access the files on a specified location.

Callback Types

There are two callback types:

  • Operation Callbacks - Called whenever operation status changes.
  • Registration Callbacks - Called whenever registration status changes.

The callback type is distinguished by the type discriminator value in the root of the JSON payload, which is either set to the OPERATION value (for operation callbacks) or ACTIVATION value (for registration callbacks).

The resulting callback contains type ACTIVATION or OPERATION. This is different from the values used for callback configuration - due to legacy reasons.

It is possible to customize which of the data fields are sent in the callback payload. For operation callbacks, only type and operationId are mandatory fields in the callback. For registration callbacks, the type and activationId are mandatory.

Operation Callbacks

{
  "type": "OPERATION",
  "operationId": "$OPERATION_ID",
  "userId": "$USER_ID",
  "applications": "[$APPLICATION_ID1, ... , $APPLICATION_ID1]",
  "operationType": "$OPERATION_TYPE",
  "parameters": {
    "key1": "$VAL1",
    "key2": "$VAL2"
  },
  "additionalData": {
    "activationId": "$ACTIVATION_ID",
    "applicationId": "mobile-token",
    "ipAddress": "172.168.240.48",
    "userAgent": "PowerAuthNetworking/1.3.0 (en; wifi) com.wultra.app.MobileToken/2.0.0 (Apple; iOS/17.3.1; iphone16,1)",
    "device": {
      "networkVersion": "1.3.0",
      "language": "en",
      "connection": "wifi",
      "product": "com.wultra.app.MobileToken",
      "version": "2.0.0",
      "platform": "Apple",
      "os": "iOS",
      "osVersion": "17.3.1",
      "model": "iphone16,1"
    }
  },
  "activationFlag": "MTOKEN",
  "status": "$STATUS",
  "data": "$OPERATION_DATA",
  "failureCount": 0,
  "maxFailureCount": 5,
  "signatureType": "$SIGNATURE_TYPE",
  "externalId": "$EXTERNAL_ID",
  "timestampCreated": "$TIMESTAMP_CREATED",
  "timestampExpires": "$TIMESTAMP_EXPIRES",
  "timestampFinalized": "$TIMESTAMP_FINALIZED"
}

The operation callback can contain the following attributes, which can be customized via the Admin API.

Field Type Description
type Enum Discriminator, uses OPERATION value for operation callbacks
operationId UUID Operation ID
userId String User ID
applications String[] Array of Application ID the operation is created for (there could be multiple IDs if user has multiple registration of multiple Applications)
operationType String Type of the operation, i.e., login or authorize_payment
parameters Map<String, String> Key-value map with operation parameters
additionalData Map<String, Object> Additional data stored within the operation. The structure is freeform JSON and may differ based on operation status.
activationFlag String Activation flag used for an operation creation
status Enum Operation status, one of PENDING, CANCELED, EXPIRED, APPROVED, REJECTED or FAILED.
data String Data used for signature
failureCount Int Counter indicating how many times the operation failed
maxFailureCount Int Maximum value of allowed failures
signatureType String Allowed signature types for given operation
externalId String External operation ID (for identification in third-party systems)
timestampCreated DateTime Timestamp when the operation was created
timestampExpires DateTime Timestamp of when the operation expires
timestampFinalized DateTime Timestamp when the operation reached a final state, i.e., when it was confirmed.

Operation Callback additionalData Payload

The additionalData object in an operation callback corresponds to the operation additional data stored with the operation. The callback contains the current value of the operation additional data at the time the callback is emitted. The additionalData object is optional and is populated as the Mobile Token SDK attempts to approve or reject the operation. The fields in the additionalData object are preserved across attempts. Subsequent attempts may add new values or overwrite existing ones but do not delete previously stored fields.

Complete Fields of additionalData

Field Type Description
activationId UUID Activation (registration) identifier used to approve the operation.
applicationId String Application ID of activationId.
ipAddress String IP address.
userAgent String User-Agent.
rejectReason String Reject reason when operation is rejected by user.
authFactor String Signature factors (e.g., possession_knowledge_biometry).
proximity_otp String Proximity OTP - optional; sent only for operations using proximity OTP.
mobileTokenData Object Mobile token data - optional data sent by Mobile Token SDK, e.g., FDS context.
device Object Nested device context (if captured/available).

The additionalData for Approved Operation

Field Type Description
activationId UUID Activation (registration) identifier used to approve the operation.
applicationId String Application ID of activationId.
ipAddress String IP address.
userAgent String User-Agent.
authFactor String Signature factors (e.g., possession_knowledge_biometry).
proximity_otp String Proximity OTP - optional; sent only for operations using proximity OTP.
mobileTokenData Object Mobile token data - optional data sent by Mobile Token SDK, e.g., FDS context.
device Object Nested device context (if captured/available).

The additionalData for Rejected Operation

Field Type Description
activationId UUID Activation (registration) identifier used to reject the operation.
applicationId String Application ID of activationId.
ipAddress String IP address.
userAgent String User-Agent.
rejectReason String Reject reason when operation is rejected by user.
mobileTokenData Object Mobile token data - optional data sent by Mobile Token SDK, e.g., FDS context.
device Object Nested device context (if captured/available).

The additionalData for Failed Attempt

When an approval or rejection attempt fails due to an incorrect signature, the additionalData object is populated with the ipAddress, userAgent, and device attributes. This data is then included in the callback if the operation later expires or is canceled via API.

Field Type Description
ipAddress String IP address relevant to the operation context (if captured/available).
userAgent String User-Agent relevant to the operation context (if captured/available).
device Object Nested device context (if captured/available).

Fields Parsed from the User-Agent

The device object depends on parsing of userAgent attribute.

Field Type Description
device.networkVersion String Networking library/protocol version reported by the client.
device.language String Client language (e.g., en).
device.connection String Connection type (e.g., wifi).
device.product String Client application identifier/package name.
device.version String Client application version.
device.platform String Platform vendor/family (e.g., Apple).
device.os String Operating system (e.g., iOS).
device.osVersion String OS version (e.g., 17.3.1).
device.model String Device model identifier (e.g., iphone16,1).

Registration Callbacks

{
  "type": "ACTIVATION",
  "activationId": "$ACTIVATION_ID",
  "userId": "$USER_ID",
  "activationName": "$ACTIVATION_NAME",
  "deviceInfo": "$DEVICE_INFO",
  "platform": "$PLATFORM",
  "protocol": "$PROTOCOL",
  "activationFlags": [
    "$ACTIVATION_FLAGS"
  ],  
  "activationStatus": "$ACTIVATION_STATUS",
  "blockedReason": "$BLOCKED_REASON",
  "applicationId": "$APPLICATION_ID"
}

The registration callback can contain the following attributes, which can be customized via the Admin API.

Field Type Description
type Enum Discriminator, uses ACTIVATION value for registration callbacks
activationId UUID Registration ID (internally, called “activation”)
userId String User ID
activationName String Displayable name of the registration
deviceInfo String Basic information about the device model
platform String Basic information about the platform (iOS, Android)
protocol String Authenticator protocol (powerauth, fido)
activationFlags String[] Freeform flags assigned to the registration
activationStatus Enum Registration status, one of CREATED, PENDING_COMMIT, ACTIVE, BLOCKED or REMOVED
blockedReason String If the registration is blocked, the field contains a blocking reason info
applicationId String Application ID
additionalData Object The registration’s custom attributes set through a private API in a free JSON structure

Callbacks Configuration

Since version 1.7.0 the callbacks can be configured via Admin API .

When creating or updating the callback, you may specify the parameter attributes, which is a JSON array of strings. This parameter defines which attributes will be included in the callback payload. If the attributes parameter is not specified, the default set of attributes is used.

An operation callback can contain the following values:

  • userId
  • applications
  • operationType
  • parameters
  • additionalData
  • activationFlag
  • status
  • data
  • failureCount
  • maxFailureCount
  • signatureType
  • externalId
  • timestampCreated
  • timestampExpires
  • timestampFinalized

A registration callback can contain the following values:

  • userId
  • activationName
  • deviceInfo
  • platform
  • protocol
  • activationFlags
  • activationStatus
  • blockedReason
  • applicationId

For details, see Registration Callbacks and Operation Callbacks.

Database Configuration

Database callbacks configuration is stored in table pa_application_callback.

We do not recommend configuring callbacks directly in database, use admin API.

Callback Retry Behavior

By default, callbacks are sent only once. The delivery may be retried after a failed attempt, depending on the configured retry settings. For details about retry-related configuration options, see Admin API.

Callback HTTP requests include the Idempotency-Key header. Its value is a unique UUIDv4 that identifies a callback event delivery. If the same callback event is retried, subsequent HTTP requests use the same Idempotency-Key value, allowing the receiving system to recognize duplicate delivery attempts and process them idempotently.

Last updated on Mar 13, 2026 (05:42) View product
On this page:
Search

develop

PowerAuth Cloud