Security event delivery (SSF / CAEP / RISC)

Slatehub publishes Security Event Tokens (RFC 8417) to your registered webhook whenever something changes that affects an active user session at your app — e.g. a role update, profile change, or org-membership revocation.

Configuring

In your org's Settings → API & Integrations page, set:

• Receiver endpoint — HTTPS URL that will accept POST requests with Content-Type: application/secevent+jwt.
• Events — check the boxes for the event types you want.

SET format

Each delivery is a single JWT (signed with EdDSA, same key as id_tokens) in the request body:

{
  "iss": "https://slatehub.com",
  "aud": "your_client_id",
  "iat": 1700000000,
  "jti": "...",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/token-claims-change": {
      "subject": { "format": "opaque", "id": "person:abc123" },
      "event_timestamp": 1700000000,
      "claims": {
        "slatehub_org_role": "admin",
        "slatehub_permissions": ["billing.read","members.write"]
      }
    }
  }
}

Event types

caep/token-claims-change

The user's claims have changed. Refresh your local cache or call /userinfo. Tokens remain valid.

caep/session-revoked

The user's session was revoked. Treat their tokens as invalid.

risc/account-disabled

The user's Slatehub account has been disabled.

slatehub/org-membership-revoked

The user is no longer a member of your org. Their session at your app is also revoked server-side.

Verifying the signature

Fetch https://slatehub.com/.well-known/jwks.json and verify with the JWK whose kid matches the JWT header.

Responding

Return any 2xx HTTP status to acknowledge. We retry non-2xx responses with backoff up to 8 attempts. 4xx (except 408) are treated as permanent failures and not retried.