--- title: Events description: Respond to activity that occurs within WorkOS and third-party providers. originalPath: .tmp-workos-clone/packages/docs/content/events/index.mdx --- Events represent activity that has occurred within WorkOS or within third-party identity and directory providers. Your app can [sync the data](/events/data-syncing) via either the events API or webhooks. #### Event object All event objects share a similar structure. | Attribute | Description | | ------------ | -------------------------------------------------------------------------- | | `event` | A string that distinguishes the event type. | | `id` | Unique identifier for the event. | | `data` | Event payload. Payloads match the corresponding [API objects](/reference). | | `created_at` | Timestamp of when the event occurred. | | `context` | An optional object of extra information relevant to the event. | ## API key events {{ "url": "api-key" }} Events emitted when [API keys](/authkit/api-keys) are created or revoked. Triggered when an API key is created. Triggered when an API key is revoked. ## Authentication events {{ "url": "authentication" }} Each step in the [authentication](/reference/authkit/authentication) flow emits an authentication event. Authentication success events are emitted even when additional steps, such as MFA, are required to complete the process. Triggered when a user fails to verify their email. Triggered when a user successfully verifies their email. Triggered when a user fails to authenticate via Magic Auth. Triggered when a user successfully authenticates via Magic Auth. Triggered when a user fails to authenticate with a multi-factor authentication code. Triggered when a user successfully authenticates with a multi-factor authentication code. Triggered when a user fails to authenticate via OAuth. Triggered when a user successfully authenticates via OAuth. Triggered when a user fails to authenticate with password credentials. Triggered when a user successfully authenticates with password credentials. Triggered when a user fails to authenticate with a passkey. Triggered when a user successfully authenticates with a passkey. Triggered when a user fails to authenticate with Single Sign-On. Triggered when a user successfully authenticates with Single Sign-On. Triggered when an authentication succeeds but is flagged by Radar. For example, the authentication may have succeeded at passing a Radar challenge. ## Connection events {{ "url": "connection" }} Events emitted when Single Sign-On connections are activated, deactivated, or deleted. Also emitted when a SAML certificate is renewed for the connection. Payload `data` corresponds to the [Connection](/reference/sso/connection) object. Triggered when a connection is activated. Payload `data` corresponds to the [Connection](/reference/sso/connection) object. Triggered when a connection is deactivated. Payload `data` corresponds to the [Connection](/reference/sso/connection) object. Triggered when a connection is deleted. The `state` attribute indicates connection state before deletion. The `certificate_type` can be one of `ResponseSigning`, `RequestSigning`, or `ResponseEncryption`. Triggered when a SAML certificate is renewed either in the Dashboard or Admin Portal. The `certificate_type` can be one of `ResponseSigning`, `RequestSigning`, or `ResponseEncryption`. Triggered when a SAML certificate is expiring (multiple events are sent out as it approaches expiry), or expired (once every 7 days after expiry). ## Directory Sync events {{ "url": "directory-sync" }} Events emitted when directory-related resources are changed. To learn what exactly each of these events represents, see the [in-depth Directory Sync events guide](/directory-sync/understanding-events). Payload `data` is based on the [Directory](/reference/directory-sync/directory) object, but the `domain` property is replaced with a `domains` array of [Organization Domain](reference/organization-domain). Triggered when a [directory is activated](/directory-sync/understanding-events/directory-events/dsync-activated). Payload `data` is based on the [Directory](/reference/directory-sync/directory) object, except the `domain` property is omitted. Triggered when a [directory is deleted](/directory-sync/understanding-events/directory-events/dsync-deleted). The `state` attribute indicates directory state before deletion. Payload `data` corresponds to the [Directory Group](/reference/directory-sync/directory-group) object. Triggered when a [directory group is created](/directory-sync/understanding-events/directory-group-events/dsync-group-created). Payload `data` corresponds to the [Directory Group](/reference/directory-sync/directory-group) object. Triggered when a [directory group is deleted](/directory-sync/understanding-events/directory-group-events/dsync-group-deleted). Payload `data` corresponds to the [Directory Group](/reference/directory-sync/directory-group) object. Triggered when a [directory group is updated](/directory-sync/understanding-events/directory-group-events/dsync-group-updated). Payload `data` contains a `user` which corresponds to the [Directory User](/reference/directory-sync/directory-user) object and a `group` which corresponds to the [Directory Group](/reference/directory-sync/directory-group) object. The `groups` field is omitted from the `user` object to avoid performance issues in large directories. Triggered when a [directory group user is added](/directory-sync/understanding-events/directory-group-events/dsync-group-user-added). Payload `data` contains a `user` which corresponds to the [Directory User](/reference/directory-sync/directory-user) object and a `group` which corresponds to the [Directory Group](/reference/directory-sync/directory-group) object. The `groups` field is omitted from the `user` object to avoid performance issues in large directories. Triggered when a [directory group user is removed](/directory-sync/understanding-events/directory-group-events/dsync-group-user-removed). Payload `data` corresponds to the [Directory User](/reference/directory-sync/directory-user) object. The `groups` field is omitted to avoid performance issues in large directories. Triggered when a [directory user is created](/directory-sync/understanding-events/directory-user-events/dsync-user-created). Payload `data` corresponds to the [Directory User](/reference/directory-sync/directory-user) object. The `groups` field is omitted to avoid performance issues in large directories. Triggered when a [directory user is deleted](/directory-sync/understanding-events/directory-user-events/dsync-user-deleted). The `state` attribute indicates directory user state at time of deletion. Payload `data` corresponds to the [Directory User](/reference/directory-sync/directory-user) object. The `groups` field is omitted to avoid performance issues in large directories. Triggered when a [directory user is updated](/directory-sync/understanding-events/directory-user-events/dsync-user-updated). ## Email verification events {{ "url": "email-verification" }} Events emitted when a user is required to verify their email. Payload `data` corresponds to the [Email verification](/authkit/email-verification) object with the `code` omitted. Triggered when a user is required to verify their email and a code is created. ## Feature flag events {{ "url": "feature-flags" }} Events emitted when WorkOS feature flags are created, updated, deleted, or their rules are updated. Payload `data` corresponds to the [Feature Flag](/reference/feature-flags) object. Triggered when a feature flag is created. Payload `data` corresponds to the [Feature Flag](/reference/feature-flags) object. Triggered when a feature flag is updated. Payload `data` corresponds to the [Feature Flag](/reference/feature-flags) object. Triggered when a feature flag is deleted. Payload `data` corresponds to the [Feature Flag](/reference/feature-flags) object. Triggered when a feature flag's rules are modified. ## Invitation events {{ "url": "invitation" }} Events emitted when an [AuthKit user](/reference/authkit/user) is invited to join an organization. Payload `data` corresponds to the [Invitation](/reference/authkit/invitation) object with the `token` and `accept_invitation_url` omitted. Triggered when a user accepts an invitation. Payload `data` corresponds to the [Invitation](/reference/authkit/invitation) object with the `token` and `accept_invitation_url` omitted. Triggered when a user is invited to sign up or to join an organization. Payload `data` corresponds to the [Invitation](/reference/authkit/invitation) object with the `token` and `accept_invitation_url` omitted. Triggered when an invitation is resent. Payload `data` corresponds to the [Invitation](/reference/authkit/invitation) object with the `token` and `accept_invitation_url` omitted. Triggered when an invitation is revoked. ## Magic Auth events {{ "url": "magic-auth" }} Events emitted when a user requests a Magic Auth code. Payload `data` corresponds to the [Magic Auth](/reference/authkit/magic-auth) object with the `code` omitted. Triggered when a user initiates Magic Auth and an authentication code is created. ## Organization events {{ "url": "organization" }} Events emitted when WorkOS organizations are created, updated, or deleted. Payload `data` corresponds to the [Organization](/reference/organization) object. Triggered when an organization is created. Payload `data` corresponds to the [Organization](/reference/organization) object. Triggered when an organization is updated. Payload `data` corresponds to the [Organization](/reference/organization) object. Triggered when an organization is deleted ## Organization domain events {{ "url": "organization-domain" }} Events emitted when organization domains are created, updated, deleted, or their verification status changes. Payload `data` corresponds to the [Organization Domain](/reference/domain-verification) object. Triggered when an organization domain is created. Payload `data` corresponds to the [Organization Domain](/reference/domain-verification) object. Triggered when an organization domain is updated. Payload `data` corresponds to the [Organization Domain](/reference/domain-verification) object. Triggered when an organization domain is deleted. Payload `data` corresponds to the [Organization Domain](/reference/domain-verification) object. Triggered when an organization domain is verified. Payload `data` contains a `reason` and an `organization_domain` which corresponds to the [Organization Domain](/reference/domain-verification) object. Triggered when an organization domain verification fails. ## Organization membership events {{ "url": "organization-membership" }} Events emitted when an [AuthKit user](/reference/authkit/user) joins or leaves an organization. Payload `data` corresponds to the [Organization Membership](/reference/authkit/organization-membership) object. Triggered when an organization membership is created. Payload `data` corresponds to the [Organization Membership](/reference/authkit/organization-membership) object. Triggered when an organization membership is deleted. Payload `data` corresponds to the [Organization Membership](/reference/authkit/organization-membership) object. Triggered when an organization membership is updated. ## Organization role events {{ "url": "organization-role" }} Events emitted when [organization roles](/reference/roles/organization-role) are created, updated, or deleted. Payload `data` corresponds to the organization role object. Triggered when an organization role is created. Payload `data` corresponds to the organization role object. Triggered when an organization role is deleted. Payload `data` corresponds to the organization role object. Triggered when an organization role is updated. ## Password reset events {{ "url": "password-reset" }} Events emitted when a user requests to reset their password. Payload `data` corresponds to the [Organization Membership](/reference/authkit/password-reset) object with the `token` omitted. Triggered when a user requests to reset their password. Payload `data` corresponds to the [Password Reset](/reference/authkit/password-reset) object with the `token` omitted. Triggered when a user successfully resets their password. ## Permission events {{ "url": "permission" }} Events emitted when [permissions](/reference/roles/permission) are created, updated, or deleted. Payload `data` corresponds to the permission object. Triggered when a permission is created. Payload `data` corresponds to the permission object. Triggered when a permission is deleted. Payload `data` corresponds to the permission object. Triggered when a permission is updated. ## Role events {{ "url": "role" }} Events emitted when [environment roles](/reference/roles/role) are created, updated, or deleted. Triggered when a role is created. Triggered when a role is deleted. Triggered when a role's permissions are updated. ## Session events {{ "url": "session" }} Events emitted when AuthKit sessions are created. Triggered when a session is created. Sessions started using [impersonation](/authkit/impersonation) will include an additional `impersonator` field with data about the impersonator. Triggered when an issued session is revoked for a user. ## User events {{ "url": "user" }} Events emitted when [AuthKit users](/reference/authkit/user) are created, updated, or deleted. Payload `data` corresponds to the [User](/reference/authkit/user) object. Triggered when a user is created. Payload `data` corresponds to the [User](/reference/authkit/user) object. Triggered when a user is deleted. Payload `data` corresponds to the [User](/reference/authkit/user) object. Triggered when a user is updated. ## Vault events {{ "url": "vault" }} Events emitted when [Vault](/vault) data, keys, or metadata are accessed or modified. Each event payload includes an `actor_id`, `actor_source`, and `actor_name` identifying who performed the action. Triggered when a new encrypted object is stored in Vault. Triggered when an encrypted object is deleted from Vault. Triggered when an encrypted object is read from Vault. Triggered when an existing encrypted object is updated in Vault. Triggered when a data encryption key (DEK) is decrypted. Triggered when one or more data encryption keys (DEKs) are read. Triggered when a new key encryption key (KEK) is created. Triggered when metadata for a Vault store is read. Triggered when the list of Vault store names is retrieved.