Kinde Webhooks not being sent
Hi,
I'm currently facing an issue where Kinde is not sending any webhook event to my endpoint in the prod environment. The endpoint is deployed as a Cloudflare worker and I do not see any logs and I also do not see values being populated in my DB.
To debug the issue, I did the following:
1. Change the Webhook URL in Prod to a local webhook running with Ngrok with the development environment JWKS URI and create a role to trigger the event.
2. The call fails (which is expected) due to the kid mismatch between the prod event header kid and dev JWKS URI kid in the keys.
3. I intentionally did the above step so that Kinde can keep retrying the request during my debugging process.
4. Grab the Kinde JWT event from the local console.log
5. Use this event as the payload to my actual CF worker endpoint that was linked to prod webhook using Postman. This request succeeds. I can see the logs and I can see my DB being populated. This confirmed that my CF worker endpoint is configured properly with the prod env JWKS URI and that it can be invoked.
6. Switch over the Webhook URL in prod from the local Ngrok endpoint to the CF worker endpoint so that the retrying of the failed events can hit the CF worker endpoint. I do not see any invocations.
Note:
1. The configurations of both the webhooks are the same, i.e. they listen to the same events.
2. The endpoint works as I can successfully make requests using Postman.
3. I'm aware of the exponential backoff and retry of the event...The first 4 events of the retry until the "After 2 minutes" were pointing to the local Ngrok endpoint which were supposed to fail (described in point 2 above) and I switched it over to the CF worker endpoint after testing with Postman before it hit the "After 10 minutes" retry mark. I have even waited until over an hour to see if I get any logs on my CF worker (success or failure)...No logs.
The conclusion that I'm at is the Kinde is sending Webhook event but it does not work with CloudFlare Workers ?
19 Replies
Hey there.
Thanks for reaching out, and sorry you're running into issues. Here are a few things to check based on our docs: 1. Go to Settings → Environment → Webhooks and make sure your production webhook is active and subscribed to the right events (like
Thanks for reaching out, and sorry you're running into issues. Here are a few things to check based on our docs: 1. Go to Settings → Environment → Webhooks and make sure your production webhook is active and subscribed to the right events (like
role.created).
2. Scroll down to Request Attempts — if you don’t see anything here (not even failures), Kinde hasn’t tried sending anything yet.
3. If a webhook fails, we retry on a backoff schedule (5s, 30s, 2m, 10m, 1h, etc.). If you changed the URL mid-retry, earlier retries still go to the old URL. You’ll need to wait for the next one.
4. Make sure your Cloudflare Worker is publicly accessible over HTTPS and not blocking external IPs (no allowlist or firewall rules).
5. Double-check that the JWKS URI in your prod webhook settings matches the one your Worker is using to validate JWTs. A mismatch will cause the request to fail and retry.
Quick questions to help us debug:
- Do you see any request attempts in the Dashboard (even failed ones)?
- Is the JWKS URI correct in the webhook config?
- Any IP/firewall rules that might block Kinde?
Let us know what you find! We're here to helpHi Ages,
1. Yes, it is active and subscribed to all the org/user/role/permission events
2. Where do I see "Request Attempsts" ? I can't seem to find that section in my Kinde console
3. I have tried creating new events after switching the URL...still no luck
4. Yes, the worker is publically accessible over HTTPS. No rules blocking anything
5. Yes, they are correct as I was able to successfully test it when I made requests from Postman. The issues is I'm not seeing any events in my Worker logs...failed/success. This point is can be looked at when the request reaches my endpoint. But at the moment the worker endpoint is not even invoked for the request to succeed or fail
* I do not know where to look in the Dashboard. I cannot seem to find any section related to that. Can you please help me point to the right place because I have looked at every page in the Kinde dashboard. I do not see any section for "Request Attempts"
* Yes, the JWKS URI is correct. But this will matter only if the endpoint atleast receives an event. Which is not the case at the moment
* No IP/Firewall rules
Both requests are from Postman... The first failed request is when hitting the API without any payload which threw a invalid JWT token which was expected.
The second one is the successful one where I sent the captured Kinde JWT payload (as described in my original post) with Postman....The endpoint is reachable and all the JWKS config is setup properly hence the request was successful
But I do not see any other events in my logs though I have done many actions that would trigger many events
Log from the successful request from Postman
Log from failed request from Postman when I try to invoke it without a payload to check if it was publically accessible
The current issue is that Kinde events are not even reaching the endpoint. Whether they succeed/fail would only matter if the event reaches the endpoint in the first place.
Here is a programmatic test to the endpoint
And this is the Event JWT that I used during my debugging process if it is of any help. I do not seen any sensitive information in the decoded JSON but feel free to redact this if you want to:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImRlOmU4OjhkOmQ5OjY4OmE4OjZiOmI1OmVhOmY0OjQ0OmRjOjc0OjI2OjkyOmZmIiwidHlwIjoiSldUIn0.eyJkYXRhIjp7InJvbGUiOnsiZGVzY3JpcHRpb24iOm51bGwsImlkIjoiMDE5Njk2NzAtZDQ5My0zZTVmLTI2N2MtNWRjODIzNmVhZjA3IiwiaXNfZGVmYXVsdF9yb2xlIjpmYWxzZSwia2V5IjoiZGVmYXVsdF90ZXN0IiwibmFtZSI6IlRlc3QifX0sImV2ZW50X2lkIjoiZXZlbnRfMDE5Njk2NzBkNDlhNjE0OWE2MDVmYThkMjFhOTAwZmYiLCJldmVudF90aW1lc3RhbXAiOiIyMDI1LTA1LTAzVDEzOjU4OjE4LjkyNDg5NyswMDowMCIsInNvdXJjZSI6ImFwaSIsInRpbWVzdGFtcCI6IjIwMjUtMDUtMDNUMTQ6MDc6MzUuOTEwNjc5MTc2WiIsInR5cGUiOiJyb2xlLmNyZWF0ZWQifQ.pa8YGbiv4jAp-IIiVHCAf7KTSfaPubDoLCTDNeRi5WGXJ-EgJJQEKTGluSy7gn0sJA0KjOUQ2dci1uEtBUBeum3hR7onikOYhw668UiygEhYOC_dWyGdZeh_1m-T7Up4oCkzVr0tsSPqMYO9Mo791af3lJbIp-n1qeOVd6Xhda1OJmrlE81qXwDRYCi0gY-ilPdCUA3Ll7CargiXCdiNWxMekfS9OJHS2EqsGfGof5si7yfQJQsTF5gfFGUK2Bfit7oDYIc_rXzzWr4o6nMeFEDY0a3BWYuxBFDwrmxo8KKQGh-AhxCgOpppuqIC74kSH2OI9kBfNzIvEZ4yvdovtA
Successful tests to the endpoint with the above event JWT from Postman and Python code shared above
Proof that the JWKS URI is configured properly on the endpoint. Log from the test request from the python code above
Hi Maxom,
Thank you for taking the time to run those extensive tests.
Per our documentation, Kinde does implement an exponential backoff retry mechanism (up to 36 hours in total) https://docs.kinde.com/integrate/webhooks/about-webhooks. As for the issue you're facing — webhooks not reaching your Cloudflare Worker — here’s what we’ve confirmed so far:
- The webhook is active and subscribed to the correct events.
- Your Cloudflare Worker is publicly accessible and responds correctly when triggered manually.
- The JWKS URI is correctly configured and validated via both Postman and code-based tests.
- You’ve waited beyond the expected retry intervals (including after the 10-minute mark).
- You switched the webhook URL from the local (Ngrok) endpoint to the Cloudflare Worker before the next retry window.
Given all of this, it does appear that Kinde may not be retrying the previously failed event after the URL change — or retries are still being sent to the original endpoint. I can confirm that there currently isn’t a “Request Attempts” section in the UI, which is understandably making this harder to debug on your end.
I’ve escalated this to our engineering team so they can investigate further internally. I’ll circle back with any updates as soon as I hear back from them.
In the meantime, if you've generated any new events after switching to the Cloudflare Worker, please let me know — those should immediately target the updated URL.
We’ll get to the bottom of this
I have switched back to the Cloudflare worker and have also tried generating many events...but they are not invoking the worker as I do not see any logs for the events and my DB is also not being populated. My DB will be populated if the endpoint is invoked, which is not happening
Hi Ages,
Some additional update. I have an API monitoring system in place both for dev and prod, where I get real time failure notifications if my API encounters any system errors.
To your point:
"Given all of this, it does appear that Kinde may not be retrying the previously failed event after the URL change — or retries are still being sent to the original endpoint."
Based on the logs and notifications in my monitoring system, my observation is that Kinde retries still target the original URL against which it encountered the error. i.e switching endpoint URL's on Kinde webhook does not update the target for the Kinde error retries.
After updating my webhook endpoint URL to the CF Worker and making calls like creating roles which should trigger events, I do not see any invocations to my CF worker. If there was a way for me to look at webhook event delivery logs that would have been super helpful for debugging but I'm sort of lost at the moment
Hi Maxom,
We've escalated the issue internally and will be looking into it further. As this may require input from our UK-based team, it could take a couple of days to fully investigate.
In the meantime, if possible, could you please share any relevant logs, screenshots of errors, or other supporting details? This will help us provide the necessary context for our team to troubleshoot effectively.
We'll keep you updated as we make progress.
Hi Ages,
Thanks for the response. I have shared all the logs, screenshots when the endpoint is manually invoked showing that it is publicly accessible and is configured properly with Kinde (JWKS etc.)
I have no other information because my endpoint is not being invoked by Kinde for the webhook events and Kinde does not provide any visibility into the Webhook delivery in the dashboard
Hi Maxom,
As mentioned earlier, we've escalated this internally and are looking into it. It may take a couple of days, especially since we may need to involve our UK-based team for further troubleshooting. In the meantime, we’re continuing to work on gathering more information, and your logs have been very helpful for context.
I understand the difficulty of not having visibility into webhook delivery through the dashboard. Rest assured, we're taking this into account as we investigate the issue.
If you have any further updates, questions, or if there's anything else you'd like us to look into, please feel free to share it. We’ll keep you informed as we make progress.
Thanks again for your cooperation.
Hi Maxom,
Just to clarify, when the url is initially set to your prod endpoint it doesn't work at all, and when you're trying to trigger a failed webhook event and change the endpoint for the retries it also doesn't work? I think the issue with the debugging part is that once a webhook has been triggered the retry attempts will all be on the original url, you can't change this in between attempts.
As for the main prod issue it sounds like the requests are being blocked by cloudflare, are there any logs you can use to debug this? If you provide me with your kinde domain, region if you know it and the endpoint you're trying to use I can take a look at the webhook request logs to see what the returned status code is from the attempts.
Just to clarify, when the url is initially set to your prod endpoint it doesn't work at all, and when you're trying to trigger a failed webhook event and change the endpoint for the retries it also doesn't work? I think the issue with the debugging part is that once a webhook has been triggered the retry attempts will all be on the original url, you can't change this in between attempts.
As for the main prod issue it sounds like the requests are being blocked by cloudflare, are there any logs you can use to debug this? If you provide me with your kinde domain, region if you know it and the endpoint you're trying to use I can take a look at the webhook request logs to see what the returned status code is from the attempts.
Hi David,
Yes, from my API monitoring system logs, I figured out that retry attempts are going to the original url.
It feels like there is some issue going on between Kinde - Cloudflare interactions as directly invoking the endpoint works. For the Kinde webhook events to Cloudflare, there are no invocation logs that I can see.
Is there a way to DM the details to you ?
Hi Maxom,
Sure if you join our slack community you can DM me there: https://join.slack.com/t/thekindecommunity/shared_invite/zt-25gshkj52-AAn0R3V86WWsWkd8IH\~\~0g
Alternatively you can email me directly on [email protected]
Just an FYI I'm out of office tomorrow.
Sure if you join our slack community you can DM me there: https://join.slack.com/t/thekindecommunity/shared_invite/zt-25gshkj52-AAn0R3V86WWsWkd8IH\~\~0g
Alternatively you can email me directly on [email protected]
Just an FYI I'm out of office tomorrow.
Hi David, no worries.
The Slack link does not seem to work for some reason so I have emailed you directly. Thanks