Audit Logs
Audit logs for user and administrator actions are available in the Audit Logs view of the Auth.it Dashboard. The view lists recent audit events sorted by date and split into two tabs: Access Events and Admin Events.
Audit logs are retained for 30 days and then permanently deleted from our systems.
Access Events tab
The Access Events tab lists events that reflect the actions of all end users in Auth.it and your applications. These include registration, login, and account management activities.
Auth.it records multiple types of access events. The following is a partial list of supported events that you may encounter when debugging user access or account management issues:
- Login events:
LOGIN– A user has logged in.LOGOUT– A user has logged out.CODE_TO_TOKEN– An application/client has exchanged an authorization code for an access token.REFRESH_TOKEN– An application/client has refreshed an access token.USER_DISABLED_BY_TEMPORARY_LOCKOUT– The user exceeded the threshold for temporary lockout and was disabled for a period. A temporary lockout occurs after 30 consecutive login failures and lasts for up to 15 minutes.USER_DISABLED_BY_PERMANENT_LOCKOUT– The user exceeded the threshold for permanent lockout and was disabled. A permanent lockout occurs after 30 consecutive login failures following a prior temporary lockout in the last 12 hours.
- Account events:
REGISTER– A user has registered.SOCIAL_LINK– An account has been linked to a social login provider.REMOVE_SOCIAL_LINK– A social login provider has been removed from an account.UPDATE_EMAIL– The email address for an account has changed.UPDATE_PROFILE– The profile for an account has changed.SEND_RESET_PASSWORD– A password reset email has been sent.UPDATE_PASSWORD– The password for an account has changed.UPDATE_TOTP– Multi-factor authentication (MFA) settings for an account have changed.REMOVE_TOTP– MFA has been removed from an account.SEND_VERIFY_EMAIL– A verification email has been sent.VERIFY_EMAIL– The email address for an account has been verified.
For all events, there is a corresponding error event (suffixed with _ERROR), which indicates a problem performing the associated action.
To review events related to a specific user, use the Events section in that user’s profile instead.
Admin Events tab
The Admin Events tab lists actions performed from the Auth.it Dashboard or through the administrative API. This provides an audit trail of configuration changes and user or organization management actions.
Admin event types are named using a combination of the operation type and resource type — for example, CREATE USER.
Supported operation types are CREATE, DELETE, UPDATE, and ACTION. The ACTION type is used for operations that do not fit into the CRUD model.
The resource type indicates the entity operated on. Examples include USER, ORGANIZATION, REALM (Auth.it instance-wide settings), IDENTITY_PROVIDER (social login providers), REALM_ROLE (global roles), and ORGANIZATION_ROLE (organization roles).
Viewing event details
Clicking any event in either tab opens a detailed view of the event:
The Payload section displays a copyable JSON object with all metadata available at the time of the logged action. This includes the user or administrator performing the action and the entity affected. Because of this, the payload may contain sensitive user information.
In the Webhook Attempts section, you can see whether the event was sent to any configured webhooks and the delivery status of each webhook request.
Using the three-dot menu to the right of a webhook entry, you can navigate to the corresponding webhook configuration or resend the JSON payload to the webhook URL:
