POST
/
watch
Create a watch subscription.
curl --request POST \
  --url https://api.auo.com.au/v1/watch \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "entities": [
    "<string>"
  ],
  "events": [],
  "webhook_url": "<string>"
}
'
{
  "subscription": {
    "id": "<string>",
    "account_id": "<string>",
    "events": [],
    "webhook_url": "<string>",
    "entities": [
      {
        "identifier": "<string>"
      }
    ],
    "created_at": "<string>",
    "updated_at": "<string>"
  },
  "secret": "<string>"
}
Watch subscriptions monitor one or more entities and POST a signed webhook to your URL when a monitored change occurs. See Watch and webhooks for signature verification and the event taxonomy. All watch endpoints are under https://api.auo.com.au/v1/watch and require your bearer token.

Create a subscription

POST /v1/watch
events
string[]
required
The event types to subscribe to, for example ["deregistration", "name_change"].
webhook_url
string
required
The HTTPS URL AUO POSTs signed events to.
entities
string[]
required
The identifiers to watch, as bare strings. An 11-digit value is treated as an ABN, a 9-digit value as an ACN, for example ["51824753556", "008583542"].
The 201 response returns the subscription and the signing secret. The secret is shown once, here and on roll, and never again.
Request
curl https://api.auo.com.au/v1/watch \
  -H "Authorization: Bearer auo_sk_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "events": ["deregistration", "name_change"],
    "webhook_url": "https://example.com/hooks/auo",
    "entities": ["51824753556"]
  }'
Response (201)
{
  "subscription": {
    "id": "wsub_tCL7u28Yzg3DUTJLhXzWYw",
    "events": ["deregistration", "name_change"],
    "webhook_url": "https://example.com/hooks/auo",
    "status": "active",
    "entities": [{ "identifier": "51824753556", "id_type": "abn" }],
    "created_at": "2026-07-02T12:22:49Z"
  },
  "secret": "whsec_LawYAxp7fepFkfmXMMDfF3YcNsorbEjXazJTyFuGgM8"
}
Store the secret now. There is no endpoint that returns it again. To get a new one, roll it (below). The read endpoints never include the secret.

List subscriptions

GET /v1/watch Returns the account’s subscriptions. The response never contains a signing secret.

Get a subscription

GET /v1/watch/{id} Returns one subscription by id. Never contains a signing secret.

Update a subscription

PATCH /v1/watch/{id} Update the events, webhook_url, entities, or status of a subscription. Send only the fields you want to change.
curl -X PATCH https://api.auo.com.au/v1/watch/wsub_tCL7u28Yzg3DUTJLhXzWYw \
  -H "Authorization: Bearer auo_sk_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{"events": ["deregistration", "name_change", "sanctions_match"]}'

Delete a subscription

DELETE /v1/watch/{id} Removes the subscription and its watched entities.

Roll the signing secret

POST /v1/watch/{id}/roll Generates a new signing secret and returns it once. The previous secret stops being valid. Use this if a secret may have been exposed.
Response
{ "secret": "whsec_NewSecretShownExactlyOnce" }

See also

Watch and webhooks

Verify signatures and read the event taxonomy.

Changes

Poll for changes if you cannot receive webhooks.

Authorizations

Authorization
string
header
required

Bearer token: auo_sk_test_... (sandbox) or auo_sk_live_... (live).

Body

application/json

Request body for creating a new watch subscription. Each entity is validated as an ABN (11 digits) or ACN (9 digits).

entities
string[]
required

One or more entity identifiers (ABN or ACN) to watch.

Minimum array length: 1
events
enum<string>[]
required

The event types that should trigger webhook deliveries.

Minimum array length: 1

The type of entity change event that can be watched. Subscriptions receive webhook deliveries for each selected event type.

Available options:
deregistration,
name_change,
abn_cancelled,
gst_deregistered,
banned_match,
sanctions_match,
external_administration,
bankruptcy_petition_filed,
charity_status_change,
licensing_change,
professional_registration_change,
relationship_change,
austrac_roll_change
webhook_url
string
required

The HTTPS endpoint to receive webhook POST requests.

Response

Subscription created. The signing secret is returned exactly once.

Response from POST /watch. The secret is the HMAC signing key for verifying incoming webhook payloads. It is shown exactly once and cannot be retrieved again. Store it securely.

subscription
object
required

A watch subscription. The signing secret is NOT present on this object. It is returned exactly once at creation (POST /watch) and once at roll (POST /watch/:id/roll).

secret
string
required

The plaintext HMAC signing secret (whsec_ prefix). Shown once only. Rotate with POST /watch/:id/roll if lost.