Overview
Security webhook events notify your SIEM or security tooling when identity and access management (IAM) actions occur in Gu1: member lifecycle, role changes, sign-in/out, failed logins, admin password actions, and selected security settings. Configure them like any other webhook in Settings → Webhooks and subscribe only to thesecurity.* events you need.
Payload shape (all security events)
Every security webhook uses the standard envelope plus a normalized inner payload:| Field | Description |
|---|---|
actionAt | When the action occurred (ISO 8601) |
actor | User who performed the action (id is Gu1 DB UUID when available) |
affectedUser | User impacted by the action (when applicable) |
description | Human-readable summary |
changes | Map of changed fields. Role permissions: { added, removed, current }. Other fields: { previous, current }. |
context | IP, user agent, settings scope, role metadata |
Available events
Members (security.member.*)
| Event | When it fires |
|---|---|
security.member.invited | Admin invites a new member |
security.member.created | Member accepts invitation / is created in org |
security.member.removed | Member removed from organization |
security.member.activated | Member enabled / reactivated |
security.member.deactivated | Member disabled |
security.member.profile_updated | Admin updates member display name (firstName / lastName) |
security.member.password_reset | Admin resets a member’s password |
security.member.password_generated | Admin generates a temporary password |
security.member.team_added | Member is added to a team |
security.member.team_removed | Member is removed from a team |
security.member.team_role_changed | Member’s role within a team changes |
security.member.channel_granted | Member is granted access to a child channel organization |
security.member.channel_revoked | Member’s access to a child channel organization is revoked |
security.member.environment_granted | Member is granted access to the paired production or sandbox org |
security.member.environment_revoked | Member’s access to the paired production or sandbox org is revoked |
context.teamType (e.g. production, sandbox) and context.teamRole apply to team events. For environment access, context.environment is "production" or "sandbox", with context.environmentOrganizationId and context.environmentOrganizationName. Channel webhooks fire on the parent organization context; context.channelOrganizationId identifies the channel.
Roles & RBAC (security.role.*, security.rbac.*)
| Event | When it fires |
|---|---|
security.role.created | Granular role created |
security.role.updated | Role modified (includes permission diffs when available) |
security.role.deleted | Role deleted |
security.role.assigned | Role assigned to user |
security.role.revoked | Role revoked from user |
security.rbac.granular_toggled | Granular RBAC enabled or disabled |
Authentication (security.auth.*)
| Event | When it fires |
|---|---|
security.auth.login_succeeded | Successful sign-in (Gu1 web app) |
security.auth.logout | User signs out |
security.auth.login_failed | Failed sign-in attempt (when email resolves to an org) |
Security settings
| Event | When it fires |
|---|---|
security.settings.updated | Sandbox mode, general/risk settings, or other audited security-related org settings (context.scope identifies the area) |
Limitations
The following are not covered by Gu1 security webhooks today:- End-user self-service password change in Clerk (IdP-only)
- MFA / SSO configuration changes in Clerk
- Machine-to-machine API key authentication (separate from user login)
- Clerk dashboard session revocations that never touch Gu1 API
security.member.password_*.