Allowed Events

Use this page to manage the allow list that gates which inbound events are dispatched to which destinations.

Where this fits in the dispatch flow

Events flow through four stages on the way from a source to a destination:

Allowed Events is the first stage that can drop an event. An inbound event is matched against allowed events by name, case-insensitively. If no allowed event matches, the event is dropped — nothing downstream ever sees it. If a match is found, the event is routed only to the destinations listed in that allowed event's destinationIds. Everything that survives the allow-list stage then goes through Data Governance and the destination's Mappings before dispatch.

Naming rules

• name is the gate. Match against inbound events is case-insensitive and exact (no whitespace trimming on the inbound side — the allowed event's name is trimmed at create time and is expected to be the canonical form).
• Names must be unique within the account.
• Names cannot exceed the platform event-name length cap.
• Names starting with $ are reserved for system events. Only $identify is accepted; everything else (e.g. $heatmap_click) is rejected at create time.

Violations return 409 with the reason in the response error field.

Adding and removing destinations

destinationIds is the second gate. An allowed event routes to exactly the destinations on its list — adding a new destination to your account does not automatically attach existing allowed events to it.

Use PATCH /rest/v1/allowed-events/{id} to change the list. The list is replaced wholesale, so the canonical pattern is fetch → modify → PATCH:

# Read the current destination list
curl "$BASE/rest/v1/allowed-events/$ID" \
  -H "Authorization: Bearer $TOKEN"

# Append a destination and PATCH
curl -X PATCH "$BASE/rest/v1/allowed-events/$ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "destinationIds": ["dest_existing_a", "dest_existing_b", "dest_new_c"] }'

Unknown ids and ids belonging to other accounts are silently filtered out at write time — the response echoes the filtered list, so a follow-up GET is not required to confirm what was saved.

Operational signals

Two read-only timestamps surface dispatch health:

• lastTriggeredAt — the most recent inbound event the platform observed for this name. null when never observed.
• lastDispatchedAt — the most recent successful dispatch to any destination on destinationIds. Lags lastTriggeredAt when the event is dropped by Data Governance or by a destination's Mappings.

A non-null lastTriggeredAt with a null or stale lastDispatchedAt is the canonical signal that an event is reaching the platform but being filtered out downstream — start your debug there.

Both timestamps are returned on GET /rest/v1/allowed-events/{id}, POST /rest/v1/allowed-events, and PATCH /rest/v1/allowed-events/{id}. The list response (GET /rest/v1/allowed-events) omits them — fetch the individual event when you need the timestamps.

curl -X GET "https://app.oursprivacy.com/rest/v1/allowed-events"

{
  "entities": [
    {
      "id": "string",
      "name": "string",
      "destinationIds": [
        "string"
      ],
      "trigger": "string",
      "createdAt": "string",
      "updatedAt": "string"
    }
  ]
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

curl -X POST "https://app.oursprivacy.com/rest/v1/allowed-events" \  -H "Content-Type: application/json" \  -d '{    "name": "string"  }'

{
  "id": "string",
  "name": "string",
  "destinationIds": [
    "string"
  ],
  "trigger": "string",
  "createdAt": "string",
  "updatedAt": "string",
  "lastTriggeredAt": "string",
  "lastDispatchedAt": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

curl -X GET "https://app.oursprivacy.com/rest/v1/allowed-events/string"

{
  "id": "string",
  "name": "string",
  "destinationIds": [
    "string"
  ],
  "trigger": "string",
  "createdAt": "string",
  "updatedAt": "string",
  "lastTriggeredAt": "string",
  "lastDispatchedAt": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

curl -X PATCH "https://app.oursprivacy.com/rest/v1/allowed-events/string" \  -H "Content-Type: application/json" \  -d '{}'

{
  "id": "string",
  "name": "string",
  "destinationIds": [
    "string"
  ],
  "trigger": "string",
  "createdAt": "string",
  "updatedAt": "string",
  "lastTriggeredAt": "string",
  "lastDispatchedAt": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

curl -X DELETE "https://app.oursprivacy.com/rest/v1/allowed-events/string"

true

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}

{
  "error": "string",
  "details": "string"
}