Event Types
Every webhook payload has this envelope:
{
"event": "<event-type>",
"timestamp": 1739462400000,
"...": "event-specific fields"
}event— the event type string (e.g.sign.created). Also sent in theX-Flowsta-EventHTTP header.timestamp— milliseconds since Unix epoch, generated at delivery time.
The event-specific fields are spread into the top level of the JSON body.
sign.created
Fires when a user signs a file via your app.
{
"event": "sign.created",
"timestamp": 1739462400000,
"file_hash": "a1b2c3...64-char-hex",
"action_hash": "uhCkk...",
"signer": "uhCAk...",
"signed_at": 1739462399500,
"intent": "authorship"
}| Field | Type | Notes |
|---|---|---|
file_hash | string | SHA-256 of the signed file, lowercase hex |
action_hash | string | The Holochain action hash of this signature entry |
signer | string | Holochain agent public key of the user who signed |
signed_at | number | Milliseconds since epoch, when the sign action happened |
intent | string | undefined | Optional intent string (e.g. authorship, endorsement) |
Optional filter: filters.file_hash on the webhook restricts delivery to matching file hashes only (case-insensitive).
sign.revoked
Fires when a user revokes one of their signatures.
{
"event": "sign.revoked",
"timestamp": 1739470000000,
"action_hash": "uhCkk...",
"revoker": "uhCAk...",
"reason": "uploaded by mistake"
}| Field | Type | Notes |
|---|---|---|
action_hash | string | Action hash of the signature being revoked |
revoker | string | Agent public key of the user revoking |
reason | string | null | Optional reason string supplied by the user |
oauth.authorized
Fires when a user completes OAuth authorization against your app.
{
"event": "oauth.authorized",
"timestamp": 1739462000000,
"user_id": "user-uuid-123",
"scopes": ["profile", "email", "sign"]
}| Field | Type | Notes |
|---|---|---|
user_id | string | Internal user identifier |
scopes | string[] | Granted OAuth scopes |
Scoped to the app the user authorized (delivered only to webhooks on that app).
oauth.token.revoked
Fires when an OAuth token is revoked (via /oauth/revoke).
{
"event": "oauth.token.revoked",
"timestamp": 1739465000000,
"token_type": "refresh_token"
}| Field | Type | Notes |
|---|---|---|
token_type | string | refresh_token or access_token — defaults to refresh_token if unspecified |
user.profile.updated
Fires when a user updates their profile (currently: display name).
{
"event": "user.profile.updated",
"timestamp": 1739468000000,
"user_id": "user-uuid-123",
"fields_changed": ["display_name"]
}| Field | Type | Notes |
|---|---|---|
user_id | string | Internal user identifier |
fields_changed | string[] | Names of the fields that changed |
Reserved (not yet firing)
These event types are valid and can be subscribed to without error, but no code currently fires them. Documentation and payload shapes will land with the feature work:
user.2fa.enableduser.2fa.disabledsubscription.upgradedsubscription.downgradedsubscription.cancelled
Subscribing today is safe — you simply won't receive deliveries until they ship.