Skip to main content

Events for Keycloak

Webhooks, scriptable event handlers, and an audit-log REST API for Keycloak. Export identity events to your observability stack, trigger workflows, and stop being blind to what's happening in your realm.

Audit log docs

The problem

Keycloak events live in a black box

The upstream event SPI runs entirely in-process. It writes to the database and to stdout — and that's the whole story.

  1. No webhooks

    There's no built-in way to deliver events to an HTTP endpoint, fan them out to a queue, or stream them to your data pipeline.

  2. No usable audit API

    Applications that want to show identity history end up reading the Keycloak database directly — fragile, unscoped, and a security smell.

  3. Glue code, rebuilt every upgrade

    Every team running Keycloak in production writes a custom event listener provider, and rewrites it every time the SPI changes.

Why we built it

Make Keycloak observable and event-driven

We built Events to turn Keycloak from a black box into a normal participant in your platform — observable, scriptable, and integrated.

  1. Reliable webhooks

    Configurable destinations with HMAC signing, event-type filtering, and built-in retry/backoff. Delivery you can trust as audit evidence.

  2. Audit log REST API

    Query identity history through a proper authenticated API, not by going around Keycloak to its database.

  3. Scriptable handlers

    JavaScript event handlers run in-process when you need transformation or filtering before events leave the system — no separate service required.

  4. Built once, maintained against Keycloak

    Skip rebuilding the same listener provider every upgrade. The extension tracks Keycloak releases.

What teams use it for

Audit log export

Stream every login, registration, and admin action to your SIEM or data warehouse via webhook. SOC 2 audit evidence without scraping the Keycloak database.

Sync to your product

When a user is created, deleted, or updated in Keycloak, fire a webhook to your application so your product database stays in sync.

Slack/PagerDuty alerts

Alert on suspicious patterns — failed admin logins, brute force, mass user deletion — by piping events to a workflow tool.

Event-driven authorization changes

When a user joins an organization or gets a role, trigger downstream provisioning workflows automatically.

Key capabilities

Webhooks with retry and signing

Configure webhook destinations with HMAC signing, filter by event type, and rely on built-in retry/backoff for reliable delivery.

Scriptable event handlers

Write JavaScript event handlers that run in-process when you need transformation or filtering before sending events out — without a separate service.

Audit log REST API

Query the audit log from your application via a REST API instead of going around Keycloak to the database. Properly scoped, properly authenticated.

Get started

Install from GitHub

Drop the JAR into your Keycloak providers directory, or build from source.

p2-inc/keycloak-events

Audit log docs

Audit log section covers the event types and webhook payload shape.

Audit log docs

Skip the install

Phase Two managed Keycloak ships with the Events extension and a dashboard for configuring webhooks.

Try the hosted version

Ready to Try Keycloak?
Create Your Free Deployment Today.