Intro to Apono Outbound Webhooks
Send Apono access request data to your internal systems with event-triggered HTTP messages
You can use Apono webhooks to send notifications about new access requests and changed access request statuses to your internal security, event management, and developer tools. These notifications enable you to track and log request events, and automate actions such as ticket creation or customer notifications.
This guide shows you how to configure webhooks and test them immediately.
Configure a webhook
Follow these steps to configure an Apono webhook:
-
On the Webhooks page, click Add Webhook. The Add Webhook page appears.
-
From the Method dropdown menu, select a REST method. Apono supports
POST,PUT, andDELETE. -
Enter the URL of the target system that will receive the webhook. Specify the HTTPS protocol only. Do not specify any custom ports.
-
In the Body Template field, construct a JSON body for the webhook payload.
Click View event’s payload schema to help you construct the body. Learn about
the schema’s data fields and view a sample schema. Learn about the schema’s data fields and view a sample schema. -
Enter Headers as required by the target system, such as an authorization header.
-
From the Triggers dropdown menu, select one or more event triggers, which correspond to Apono access request statuses.
-
Enter a unique, alphanumeric, user-friendly Name for identifying this webhook.
-
Toggle the webhook’s Status to Active or Inactive. When active, the webhook can be triggered immediately.
-
Click Test to generate a test event to trigger your webhook. A Success or Failure response status will appear at the bottom of the page. Click Invocation Data to open a panel on the right side of the page and view the complete request and response, as well as other relevant details.
-
After verifying that the webhook works successfully, click Save Webhook.
Your newly saved webhook appears in the Webhooks table, preceded by a green dot if it is active or a white dot if it is inactive.
Troubleshoot your webhook
If your webhook test returns errors, take one of the following actions:
| Error | Action |
|---|---|
| Invalid host |
|
| Invalid body template |
|
Use the schema to build a JSON body
The Apono schema defines the structure of the data that you can pass in the webhook payload. Apono uses the Handlebars templating language to format expressions for certain data fields.
.
You can view the full schema while constructing the JSON body as you configure the webhook.
Below is the schema, with sample values, followed by data descriptions:
{
"event_type": "AccessRequestCreated",
"event_time": 1696263265.851898000,
"data": {
"id": "123",
"friendly_id": "AR-123",
"requester": {
"id": "user-1",
"name": "User",
"email": "[email protected]"
},
"justification": "I need access to this",
"creation_date": 1696263265.852378000,
"revocation_date": 1696266865.852380000,
"access_flow": {
"id": "flow-1",
"name": "Flow 1"
},
"access_bundle": {
"id": "bundle-1",
"name": "Bundle 1"
},
"access_groups": [
{
"integration": {
"id": "integration-1",
"type": "Postgresql",
"name": "prod db"
},
"resource_types": [
{
"id": "postgresql-database",
"name": "Database",
"display_path": "Postgresql/Database"
}
],
"access_units": [
{
"resource": {
"id": "res-1",
"name": "DB 1",
"path": "prod db/res-1",
"type": {
"id": "postgresql-database",
"name": "Database",
"display_path": "Postgresql/Database"
}
},
"permission": {
"id": "ReadOnly",
"name": "ReadOnly"
}
},
{
"resource": {
"id": "res-2",
"name": "DB 2",
"path": "prod db/res-2",
"type": {
"id": "postgresql-database",
"name": "Database",
"display_path": "Postgresql/Database"
}
},
"permission": {
"id": "ReadOnly",
"name": "ReadOnly"
}
}
]
}
],
"approvals_logical_relation": "AllOf",
"approvals": [
{
"name": "Manager",
"type": "Manager",
"status": "Pending"
},
{
"name": "Admins",
"type": "Group",
"status": "Approved",
"approver": {
"id": "admin-1",
"name": "Admin 1",
"email": "[email protected]"
}
}
]
}
}
(Top level)
| Property | Description |
|---|---|
| event_type string | Webhook trigger, corresponding to different access request statuses |
| event_time float | Time of the event occurrence in epoch seconds.milliseconds |
| data object | Field containing an embedded object with contextual information about the triggering event See data object. |
data object
| Property | Description |
|---|---|
| id string | Apono request ID |
| friendly_id string | Human-readable ID that also appears in the Apono UI |
| requester object | Metadata about the user requesting access |
| justification string | Reason provided by requester for needing access |
| creation_date float | Date the access request was created in epoch seconds.milliseconds |
| revocation_date float | Date the access request was revoked in epoch seconds.milliseconds |
| access_flow object | Metadata about a related access flow |
| access_bundle object | Metadata about a related access bundle |
| access_groups object | Metadata about related integrations and resources that the requester wants to access
|
| approvals_logical_relation string | Whether the request requires one approver (AnyOf value) or all approvers within a group (AllOf value)
|
| approvals object | Metadata about approved access requests
|
data.requester object
| Property | Description |
|---|---|
| id string | Requester's Apono ID |
| name string | Requester’s Apono username |
| email string | Requester’s email address |
data.access_flow object
| Property | Description |
|---|---|
| id string | Apono ID for the access flow |
| name string | Customer-created name for the access flow |
data.access_bundle object
| Property | Description |
|---|---|
| id string | Apono ID for the access bundle |
| name string | Customer-created name for the access bundle |
data.access_groups object
| Property | Description |
|---|---|
| integration object | Metadata about the integration that the requester wants to access
See data.access_groups.integration object. |
| resource_types object | Metadata about the resource types that the requester wants to access
See data.access_groups.resource_types object. |
| access_units object | Metadata about the requested access unit, which is a pairing of a resource and a permission
See data.access_groups.access_units object. |
data.access_groups.integration object
| Property | Description |
|---|---|
| id string | Apono ID of the integration |
| type string | Type of resource the requester wants to access, such as Postgresql |
| name string | Customer-created resource name |
data.access_groups.resource_types object
| Property | Description |
|---|---|
| id string | Apono ID of the integration |
| name string | Display name for the resource |
| display_path string | Logical, hierarchical container for the resource For example, the display path for an AWS bucket resource type might be AWS-account/us-east/bucket/E2 |
data.access_groups.access_units object
| Property | Description |
|---|---|
| resource object | Metadata about the resource the requester wants to access See data.access_groups.access_units.resource object. |
| permissions object | Metadata about resource permission granted to the requester See data.access_groups.access_units.permissions object. |
data.access_groups.access_units.resource object
| Property | Description |
|---|---|
| id string | Apono ID of the resource |
| name string | Customer-created name for the resource |
| path string | Physical path of the resource For example, the path of a database would be database-name/table-name |
| type object | Metadata about the resource type the requester wants to access See data.access_groups.access_units.resource.type object |
data.access_groups.access_units.resource.type object
| Property | Description |
|---|---|
| id string | Apono ID of the resource type |
| name string | Name of the resource type |
| display_path string | Logical, hierarchical container for the resource For example, the display path for an AWS bucket resource type might be AWS-account/us-east/bucket/E2 |
data.access_groups.access_units.permissions object
| Property | Description |
|---|---|
| id string | Apono ID for the permission |
| name string | Name of the permission granted to the requester, such as ReadOnly |
data.approvals object
| Property | Description |
|---|---|
| name string | Name of the entity approving the request, which could be:
|
| type string | Type of approver, which could be:
|
| status string | Status of the request, which could be:
|
| approver object | Metadata about the person approving the access request See data.approvals.approver object. |
data.approvals.approver object
| Property | Description |
|---|---|
| id string | Approver's Apono ID |
| name string | Approver's Apono username |
| email string | Approver's email address |
Manage webhooks
After creating a webhook, you can manage it.
Edit a webhook
Use the following steps to edit a webhook:
- On the Webhooks page, locate the webhook.
- In the row of the webhook, click ⋮ > Edit. The Edit Webhook tab appears.
- Update the settings.
- Test the changes.
- Click Save Webhook.
Change the activation status
Use the following steps to change the activation status of a webhook:
- On the Webhooks page, locate the webhook.
- In the row of the webhook, click ⋮ > Inactivate.
If the webhook is inactivate, Active will appear as the option.
View the invocation history
The Invocation History tab displays information about webhooks that Apono has sent:
- Date and time when the webhook was sent
- Event trigger
- Whether the webhook was successfully sent
- Request and response payloads
Use the following steps to view the invocation history:
- On the Webhooks page, locate the webhook.
- In the row of the webhook, click ⋮ > History. The Invocation History tab appears.
Delete a webhook
Deleting a webhook is permanent and cannot be reversed.
Use the following steps to delete a webhook:
- On the Webhooks page, locate the webhook.
- In the row of the webhook, click ⋮ > Delete. A confirmation popup window appears.
- Click Yes.
Updated about 1 month ago