Webhooks and scriptable handlers for every identity event.
Export audit events, post to webhooks, trigger workflows. Subscribe to logins, registrations, role changes — anything Keycloak emits �— and route them to your stack.
Identity events shouldn't be trapped inside Keycloak.
Audit logs need to leave
Compliance, observability, fraud detection — all want events out of Keycloak and into your platform.
Workflows want a trigger
When a user joins an org, you want to create rows in your DB, post to Slack, kick off provisioning. Polling isn't the answer.
Keycloak's built-in SPI is too low-level
Implementing event listeners as Java SPI works, but it's painful to iterate on and not portable across clusters.
Identity events as a normal eventing system
Webhooks first
POST signed JSON to any URL. Standard HTTP. No glue code.
Scriptable handlers
Or write a script (JS) that runs on each event — filter, map, transform.
Retry, DLQ, idempotency
Treat it like any other webhook system. Failures don't lose events.
Realm-scoped or global
Subscribe to a tenant's events or all of them.
Where event routing pays off
Anywhere identity changes need to be visible somewhere else.
Everything you'd want from a webhook system
Subscribe per event type
USER_LOGIN, ROLE_CHANGE, PASSWORD_RESET — opt in to what you need.
Webhook destinations
Any HTTPS URL. Standard JSON payload.
JS script handlers
Run small scripts inside Keycloak for filter / map / fanout.
Retry with backoff
Failed deliveries retry with exponential backoff.
DLQ
Events that fail repeatedly land in a dead-letter queue you can replay.
Signed payloads
HMAC-signed so the receiver can verify origin.