Skip to main content
Grantex can POST a signed JSON payload to your server whenever key events occur — grant created, grant revoked, or token issued. Use webhooks to keep your application in sync with the authorization lifecycle without polling.

Supported Events

Registering an Endpoint

Response:
The secret is returned only once. Store it securely — you need it to verify incoming payloads.

Event Payload Shape

Every webhook POST has the same envelope:

grant.created

grant.revoked

cascade: true means descendant grants were also revoked.

token.issued

Verifying Signatures

Every request includes an X-Grantex-Signature header with a hex-encoded HMAC-SHA256 signature of the raw request body:
Always verify signatures before trusting the payload. Use the raw request body — not the parsed JSON.

SDK Usage

Delivery Behaviour

  • Grantex delivers webhooks with a 10-second timeout per request.
  • Your endpoint should return any 2xx status to be considered successful.
  • Respond quickly (under 5s) and do heavy processing asynchronously.
  • Failed deliveries are retried with exponential backoff.

Local Development

Use a tunnel tool to expose your local server:
Last modified on February 28, 2026