Security Event Token Payloads

The SET payload contains a set of name/value pairs (also known as claims) that describe the event and when it occurred. For example:

{
 "iss": "Akamai Identity Cloud",
 "iat": 1563488631,
 "jti": "b70046bd-44c7-4575-b1a2-9b8556d1f040",
 "aud": "https://example.com/path/to/endpoint",
 "txn": "00000000-0000-0000-0000-000000000000",
 "toe": 1559372400,
 "events": {
   "entityUpdated": {
     "attributes": [
         "email"
         ],
     "captureApplicationId": "zzyn9gy9r8xdy5zkru4y54syk6",
     "captureClientId": "elrrniux51a3nrhfwzklvz3t46lb5n2m",
     "entityType": "user",
     "globalSub": "capture-v1://us.janraincapture.com/zzyn9gy9r8xdy5zkru4y54syk6/user/6b004bc5-179c-45c2-815d-31b06169371d",
     "sub": "6b004bc5-179c-45c2-815d-31b06169371d",
     "id": "00000000-0000-0000-0000-000000000000"
   }
 }
}

These claims are explored in more detail in the following table:

Claim

Description

iss

Indicates the entity that issued the token. For Webhooks v3, the issuer will always be Akamai Identity Cloud.

iat

Specifies the date and time when the token was issued. The iat ("issued at time") claim is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example, the value 1553405263 represents Saturday, March 23, 2019 at 22:27:43 Pacific Daylight Time. 

jti

The unique identifier for the webhooks notification. Note that this differs from the id claim found in the events claim: the id claim uniquely identifies the event itself, while jti uniquely identifies the event notification.

aud

Intended audience for the webhooks notification. This will always be the URL of the  listener endpoint specified by the customer.

txn

Unique identifier assigned to the request as it passed through the Akamai API gateway.

toe

Date and time when the event occurred; this might occasionally differ from the time that the token was issued (the iat claim). The toe claim is formatted using Unix epoch time, which represents the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC) on January 1, 1970. For example, the value 1553405263 represents Saturday, March 23, 2019 at 22:27:43 Pacific Daylight Time.

events

The actual event itself. The claims specified in any given webhooks notification will vary depending on the type of event. 

If you’re familiar with JSON Web Tokens, you might have noticed that at least two commonly-used claims – exp (Expiration Time) and sub (Subject) – are missing from the token payload. There’s a good reason (actually, two good reasons) for that. For one, security event tokens don’t expire; consequently, there’s no reason to include the exp claim. For another, the sub claim is used whenever applicable. However, that claim will always be included as part of the events claim, and won’t stand out on its own.