Webhooks overview
A webhook is an event-driven method of communication between applications.
Unlike typical APIs where you would need to poll for data very frequently to get it "real-time", webhooks only send data when there is an event to trigger the webhook. This makes webhooks seem "real-time", but it's important to note that they are asynchronous.
For example, if you are onboarding a new user, you can't rely on the webhook delivery as part of that flow. Typically the delivery will happen quickly, but it's not guaranteed to be delivered immediately or at all. Webhooks are best used for things like sending a notification or updating a database, but not for synchronous flows where you need to know the webhook was delivered before moving on to the next step. If you need a synchronous flow, see the onboarding guide for an example.
Clerk webhooks
Clerk webhooks allow you to receive event notifications from Clerk, such as when a user is created or updated. When an event occurs, Clerk will send an HTTP POST
request to your webhook endpoint configured for the event type. The payload carries a JSON object. You can then use the information from the request's JSON payload to trigger actions in your app, such as sending a notification or updating a database.
Clerk uses Svix to send our webhooks.
You can find the Webhook signing secret when you click on the endpoint you created on the Webhooks page in the Clerk Dashboard.
Supported webhook events
To find a list of all the events Clerk supports:
- In the Clerk Dashboard, navigate to the Webhooks page.
- Select the Event Catalog tab.
Payload structure
The payload of a webhook is a JSON object that contains the following properties:
data
: contains the actual payload sent by Clerk. The payload can be a different object depending on theevent
type. For example, foruser.*
events, the payload will always be the User object.object
: always set toevent
.type
: the type of event that triggered the webhook.
The following example shows the payload of a user.created
event:
The payload should always be treated as unsafe until you validate the incoming webhook. Webhooks will originate from another server and be sent to your application as a POST request. A bad actor would fake a webhook event to try and gain access to your application or data.
How Clerk handles delivery issues
Retry
Svix will use a set schedule and retry any webhooks that fail. To see the up-to-date schedule, see the Svix Retry Schedule.
If Svix is attempting and failing to send a webhook, and that endpoint is removed or disabled from the Webhooks page in the Clerk Dashboard, then the attempts will also be disabled.
Replay
If a webhook message or multiple webhook messages fail to send, you have the option to replay the webhook messages. This protects against your service having downtime or against a misconfigured endpoint.
To replay webhook messages:
- In the Clerk Dashboard, navigate to the Webhooks page.
- Select the affected endpoint.
- In the Message Attempts section, next to the message you want to replay, select the menu icon on the right side, and then select Replay.
- The Replay Messages menu will appear. You can choose to:
- Resend the specific message you selected.
- Resend all failed messages since the first failed message in that date range.
- Resend all missing messages since the first failed message in that date range.
Sync data to your database
You can find a guide on how to use webhooks to sync your data to your database here.
Protect your webhooks from abuse
To ensure that the API route receiving the webhook can only be hit by your app, there are a few protections you can put in place:
-
Verify the request signature: Svix webhook requests are signed and can be verified to ensure the request is not malicious. To learn more, see Svix's guide on how to verify webhooks with the svix libraries or how to verify webhooks manually.
-
Only accept requests coming from Svix's webhook IPs: To further prevent attackers from flooding your servers or wasting your compute, you can ensure that your webhook-receiving api routes only accept requests coming from Svix's webhook IPs, rejecting all other requests.
Feedback
Last updated on