Webhooks

Webhooks

Webhooks let you receive real-time notifications when events occur in your Aureva projects. Configure a webhook URL in your project settings, and Aureva will send HTTP POST requests to your endpoint whenever supported events are triggered.

---

Supported Events

Event	Description
key.created	A new key was created
key.expired	A key has expired
key.used	A key was used (script access granted)
key.deleted	A key was deleted or revoked
hwid.reset	HWID binding was reset for a key
hwid.changed	HWID was changed or updated for a key
script.uploaded	A new script was uploaded
script.updated	An existing script was updated
auth.failed	An authentication attempt failed (invalid key, HWID mismatch, etc.)
auth.success	An authentication attempt succeeded

Tip

Subscribe only to the events you need. Fewer events mean less traffic and simpler handling.

---

Webhook Configuration

Each webhook has:

Field	Description
name	Display name for the webhook
url	Endpoint URL (must be HTTPS for production)
events	JSON array of event types to receive
is_active	Whether the webhook is enabled
secret	Optional secret for HMAC-SHA256 signature verification

---

Payload Formats

Generic Webhook Format

For non-Discord URLs, Aureva sends:

{
  "event": "key.used",
  "project_id": "proj_abc123",
  "timestamp": 1709654400,
  "data": {
    "key_id": "key_456",
    "script_id": "script_789",
    "hwid": "hwid_hash",
    "ip": "1.2.3.4"
  }
}

Field	Description
event	Event type (e.g., key.used)
project_id	Project identifier
timestamp	Unix timestamp (seconds)
data	Event-specific payload

Discord Webhook Format

When the webhook URL is a Discord webhook (https://discord.com/api/webhooks/... or https://discordapp.com/api/webhooks/...), Aureva sends a Discord embed payload with event-specific titles and colors instead of the generic JSON structure.

---

Signature Verification

When a secret is configured, Aureva includes an X-Webhook-Signature header with an HMAC-SHA256 signature of the request body. Verify it to ensure the request is from Aureva and has not been tampered with.

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expected, 'hex')
  );
}

// In your handler:
const rawBody = await request.text();
const signature = request.headers.get('X-Webhook-Signature');
if (secret && !verifyWebhookSignature(rawBody, signature, secret)) {
  return new Response('Invalid signature', { status: 401 });
}

Caution

Store webhook secrets securely. Use them to verify that incoming requests are from Aureva and not spoofed.

---

Managing Webhooks

Use the dashboard to manage webhooks:

1. Go to Project → Settings → Webhooks
2. Add, edit, or remove webhook URLs
3. Select which events to receive
4. Optionally set a secret for signature verification
5. Send test events to verify your endpoint
6. View delivery logs for each webhook (event type, status, timestamp)

Note

Return 200 OK as soon as you’ve received and queued the payload. Process asynchronously to avoid timeouts.

---

Best Practices

1. Respond quickly — Return 200 within 10 seconds; process in background.
2. Verify signatures — Use the shared secret to validate requests when configured.
3. Handle idempotency — Use event data to deduplicate if your endpoint may receive duplicates.
4. Log events — Store raw payloads for debugging and auditing.
5. Monitor failures — Set up alerts for repeated delivery failures.

Tip

Implement a dead-letter queue for events that fail processing. Retry later instead of losing data.