InvoanceInvoance
Log inStart free
Developers
Search docs…⌘K
Getting started
OverviewConceptsAuthenticationCreate an API key
API reference
EndpointsErrors
Audit Logs
Quick startIntegrationsEvent schemaExporting eventsSDK reference
AI Attestations
Quick startAttestation schemaVerification & proofSDK reference
Events
OverviewSDK reference
Documents
OverviewSDK reference
Traces
OverviewSDK reference
SDKs
PythonNode.jsGoJavaRubyRust.NETPHPcURL
Verification
How it works
Support
API FAQ
Audit Logs quick start

Zero-code integrations

Point your auth provider's webhooks at Invoance and every organization in your app starts accumulating signed, independently verifiable audit events — sign-ins, membership changes, role updates — before your team writes a line of instrumentation. Clerk and Auth0 are supported today.

How it works

Create the endpoint

Dashboard → Audit Logs → Integrations → Connect provider. You get a unique webhook URL — shown once, stored hashed — plus provider-specific setup steps.

Every delivery is verified

Clerk deliveries carry a Svix signature; Auth0 sends the Authorization token you configured. Nothing is trusted before it verifies.

Events become signed records

Verified events are translated into a clean audit vocabulary, Ed25519-signed, and sealed into each organization's gap-free sequence — identical to events sent via the API.

Organizations appear on their own

Provider events carry the end-customer organization; unknown orgs are auto-created (up to your plan's limit) with their real names, each one a portal link away from being shown to your customer.

Clerk

  1. Create the integration in Dashboard → Audit Logs → Integrations (provider: Clerk) and copy the webhook URL.
  2. In the Clerk Dashboard, open Configure → Webhooks → Add endpoint and paste the URL.
  3. Subscribe to the events you want from the table below — start with the core set.
  4. Copy the endpoint's signing secret (whsec_…) into the integration. If you ever rotate it in Clerk, use Roll secret on the source — same URL, nothing else changes.
Clerk eventBecomesOrganizationTier
organizationMembership.createdmember.addedembedded organization (auto-creates it, with name)core
organizationMembership.deletedmember.removedembedded organizationcore
organizationMembership.updatedrole.changed (role kept in metadata)embedded organizationcore
organization.createdorganization.createdthe organization itselfcore
user.createduser.creatednone → org-less policycore
user.deleteduser.deletednone → org-less policycore
session.revokedsession.revokedsession's active organization (nullable)core
session.createduser.signed_insession's active organization (nullable)high-volume
session.removeduser.signed_outsession's active organization (nullable)high-volume
user.updateduser.updatednone → org-less policyhigh-volume

High-volume tier: session.created fires on every sign-in, session.removed on sign-outs and session expiry, and user.updated on any User-object change including backend metadata writes. They count against your monthly signed-event allotment — subscribe deliberately. session.ended is intentionally not mapped: a single sign-out fires both it and session.removed, which would double-count.

Auth0

  1. Create the integration (provider: Auth0). Auth0 doesn't issue a secret — you invent one, so hit Generate and copy both the URL and the token.
  2. In the Auth0 Dashboard, open Monitoring → Streams → Create Stream → Custom Webhook.
  3. Payload URL: your webhook URL · Content Type: application/json · Content Format: JSON Array · Authorization Token: the generated value — Auth0 sends it on every delivery and Invoance verifies it matches.
  4. Pick the stream's category filters; only the codes below become events.
Log codeAuth0 meaningBecomes
sSuccessful loginuser.signed_in
sloUser successfully logged outuser.signed_out
f / fp / fuFailed login (generic / wrong password / unknown user)user.sign_in_failed (exact code kept in metadata)
ssSuccessful signupuser.created
sduUser successfully deleteduser.deleted
scpSuccessful password changeuser.password_changed
sceSuccessful email changeuser.email_changed
limit_wc / limit_muIP blocked after repeated failed loginsaccount.blocked (code kept in metadata)

Deliveries arrive batched; each entry is processed independently and deduplicated by its Auth0 log id, so replays and partial retries never create duplicates. Events made in an Auth0 Organization context carry org_id / org_name and route (and auto-create) accordingly; events without one follow your org-less policy. Sign-ins and failed logins are high-volume — filter your stream categories with your allotment in mind.

Delivery semantics

The receiver is built for at-least-once delivery: providers retry on failure, idempotency absorbs the retries, and permanent conditions are acknowledged with a 200 so a single odd event can never make your provider disable the endpoint.

200 · receivedEvent mapped, signed, and sealed into the org's gap-free sequence. Clerk gets {received, event_id}; Auth0 batches get {received, accepted, skipped}.
200 · skippedPermanent, per-event condition: unmapped type, org-less event under the skip policy, org over your plan cap, or a paused source. Counted per source with a reason, visible in the dashboard's skip log. Never billed.
401Signature (Clerk) or Authorization token (Auth0) did not verify. Not counted as received.
404Unknown or deleted endpoint token.
429Per-source rate limit (with Retry-After), or your monthly signed-event allotment is exhausted — the provider's own retry becomes the backoff.
5xxTransient failure on our side. The provider retries; per-event idempotency keys (Svix message id / Auth0 log id) guarantee retries never create duplicates.

Quota: only events that are actually signed count against your allotment — skipped events are free, always. Org routing:each source either auto-creates organizations as their events arrive (up to your plan's org limit) or runs in allowlist mode, accepting only organizations you created yourself; org-less events are skipped or routed to a catch-all org you designate. Everything is switchable per source, live, from the dashboard.

Set it up under Dashboard → Audit Logs → Integrations. The receiver endpoint itself is documented in the API reference, and once events are flowing, the quick start shows how to instrument your product's own actions with one call each.

Invoance

Neutral digital proof infrastructure for business. Tamper-evident, independently verifiable records.

Subscribe to our newsletter

Products
Platform
How It Works
Developers
Verify
Resources
Help & Legal
Products
  • Event Ledger
  • Document Anchoring
  • AI Attestation
  • Audit Logs
Platform
  • Why Invoance
  • For Compliance Teams
  • For Finance Teams
  • Pricing
How It Works
  • Overview
  • Event Ledger
  • Document Anchoring
  • AI Attestation
Developers
  • Overview
  • Endpoints
  • Authentication
  • Concepts
Verify
  • Verify Document
  • Verify AI Attestation
  • Verify Event
  • Verify Trace
Resources
  • All Resources
  • SOC 2 Guide
  • HIPAA Guide
  • ISO 27001 Guide
Help & Legal
  • Support
  • Status
  • Verification Help
  • FAQ

Invoance provides technical verification and proof infrastructure for digital records. Invoance does not issue legal, financial, or regulatory advice.

Records anchored through Invoance are cryptographically signed and tamper-evident by design. Invoance does not verify the accuracy, legality, or authenticity of document contents, only that a record existed in a specific form at a specific time. Verification links are publicly resolvable and do not require authentication. Invoance does not act as a custodian of funds, a legal authority, or a regulated financial entity. Use of Invoance does not constitute legal compliance. Consult qualified counsel for your specific obligations.

© 2025 – 2026 Invoance, Inc. All rights reserved.••