SendAuth Documentation

⌘K

Approving actions with webhooks

See how to use routing rules, webhooks, and approval groups to respond to access requests

Overview

SendAuth allows for straightforward automation with webhooks and routing rules to make it simple for staff to approve requests to external systems.

For this tutorial, the webhook endpoint is an AWS Lambda function URL that grants temporary elevated access to the requestor.

The flow looks like:

SendAuth auth flow SendAuth auth flow

Step 1: Initiate access request

To create the request in SendAuth, we POST to /api/v1/authorize using an API key. The request body looks like:

{
    "tag": {
        "AWS": "Prod"
    },
    "message": "Update DNS record for new service",
    "payload": {
        "user": "bob@sendauth.com"
    }
}

The tag is used for request routing, the message will be provided to approvers, and the payload is included in webhook requests.

Step 2: Route request to the right approval group

We’ve set up an approval group called “Prod Approvers” and populated it with staff who can approve AWS access requests.

Prod Approvers approval group Prod Approvers approval group


And then we set up a tag routing rule to forward authorization requests that have the tag pair AWS=Prod to it.

AWS Prod routing rule AWS Prod routing rule

Step 3: Notify group members

When the above request arrives, the members of the approval group will each receive a notification showing that Bob wants to update DNS records for a new service in production.

Step 4: Approve the request

Any recipient of the authorization request can approve or deny it. If it’s denied, no further processing happens.

Once it’s approved, webhooks associated with the Verify event will fire. Webhooks can be created in an approval group, so that they only fire when the approval group is asked to approve something.

Step 5: Fire webhook

We’ve set up a webhook to receive verified webhook requests.

AWS Prod routing rule AWS Prod routing rule


SendAuth will POST to the URL provided. The request body will look like this:

{
  "id": "7aadaad3-b516-439c-ba11-616dbcc7ac0b",
  "state": "verified",
  "authGroup": {
    "id": "4d0e2245-9dbe-459c-ab48-b1a08c56a968",
    "name": "Prod Approvers",
    "threshold": "1",
    "description": "Members can bless AWS prod requests",
    "users": [
      {
        "id": "335c81d0-2983-4fbd-ba2c-e11b48a87753",
        "email": "john.baker@sendauth.com",
        "firstName": "John",
        "lastName": "Baker"
      },
      {
        "id": "12a78341-9ad3-4347-9ba8-4ab1bf7edb45",
        "email": "jacques.calmes@sendauth.com",
        "firstName": "Jacques",
        "lastName": "Calmes"
      },
      {
        "id": "c16da56f-acc1-4aa5-a600-a5413368cd82",
        "email": "leroy.j.smith@sendauth.com",
        "firstName": "Leroy",
        "lastName": "Smith"
      }
    ]
  },
  "requestor": "bob@sendauth.com",
  "context": "",
  "createdAt": "2025-10-22T18:12:44.715316Z",
  "completedAt": "2025-10-22T18:13:15.599243Z",
  "message": "Update DNS record for new service",
  "tags": {
    "AWS": "Prod"
  },
  "transactions": [
    {
      "id": "3e5baed2-1035-4e88-8c83-31af80965efa",
      "subject": "335c81d0-2983-4fbd-ba2c-e11b48a87753",
      "subjectName": "John Baker",
      "state": "verified",
      "completedAt": "2025-10-22T18:13:15.596438Z",
      "requestor": "bob@sendauth.com",
      "context": "approval group challenge",
      "createdAt": "2025-10-22T18:12:44Z",
      "expiresAt": "2025-10-22T18:17:44Z",
      "message": "bob@sendauth.com is requesting you verify your identity. They requested this from approval group challenge at 2025-10-22 18:12:44. They provided this message: Update DNS record for new service",
      "userMessage": "Update DNS record for new service",
      "approvalID": "7aadaad3-b516-439c-ba11-616dbcc7ac0b"
    },
    {
      "id": "add4d095-7877-43e3-89ae-321261b4f257",
      "subject": "12a78341-9ad3-4347-9ba8-4ab1bf7edb45",
      "subjectName": "Jacques Calmes",
      "state": "pending",
      "requestor": "bob@sendauth.com",
      "context": "approval group challenge",
      "createdAt": "2025-10-22T18:12:44Z",
      "expiresAt": "2025-10-22T18:17:44Z",
      "message": "bob@sendauth.com is requesting you verify your identity. They requested this from approval group challenge at 2025-10-22 18:12:44. They provided this message: Update DNS record for new service",
      "userMessage": "Update DNS record for new service",
      "approvalID": "7aadaad3-b516-439c-ba11-616dbcc7ac0b"
    },
    {
      "id": "84592f30-5b84-4eb1-a9c8-f3fdfdb2253d",
      "subject": "c16da56f-acc1-4aa5-a600-a5413368cd82",
      "subjectName": "Leroy Smith",
      "state": "pending",
      "requestor": "bob@sendauth.com",
      "context": "approval group challenge",
      "createdAt": "2025-10-22T18:12:44Z",
      "expiresAt": "2025-10-22T18:17:44Z",
      "message": "bob@sendauth.com is requesting you verify your identity. They requested this from approval group challenge at 2025-10-22 18:12:44. They provided this message: Update DNS record for new service",
      "userMessage": "Update DNS record for new service",
      "approvalID": "7aadaad3-b516-439c-ba11-616dbcc7ac0b"
    }
  ],
  "payload": {
    "user": "bob@sendauth.com"
  }
}

At this point the service receiving the request can verify the request, see that it’s been verified, and act accordingly. In the AWS privilege case, for example, the verified request would result in the user gaining prod access privileges.

  • Approval Groups - Learn more about setting up approval groups
  • Webhooks - Complete webhook configuration guide
  • Tag Routing - How to automatically route requests to the right approvers
  • API Reference - Complete API documentation for the /authorize endpoint