Authgear provides the event logs for you to analyze security issues and monitor the business.
You can view the audit log in the Portal, or retrieve logs using the Admin API.
The portal provides an interface for you to look up the log by event and date range.
The Users Activities tab on the Audit Log page filters the log to only show activities performed by a normal user or by an admin on a user's profile.
.png)
The API schema can be found in the Admin API GraphiQL Explorer. For example:
query {
auditLogs(first:5){
edges{
node{
activityType
clientID
createdAt
data
}
}
}
}When using the Admin API, you can filter the Audit Log by an attribute like activityTypes to omit records you're not interested in.
The following is an example that includes filters.
query {
auditLogs(first:5, activityTypes:[USER_AUTHENTICATED,USER_DELETED]){
edges{
node{
activityType
clientID
createdAt
data
}
}
}
}The above query will only return events with activity types USER_AUTHENTICATED and USER_DELETED.
Here is the list of activity types that are logged:
| Activity type | Description |
|---|---|
| AUTHENTICATION_IDENTITY_ANONYMOUS_FAILED | Anonymous user authentication failed |
| AUTHENTICATION_IDENTITY_BIOMETRIC_FAILED | Authentication with biometric failed |
| AUTHENTICATION_IDENTITY_LOGIN_ID_FAILED | A user's login attempt failed because the email or user ID provided is not found |
| AUTHENTICATION_PRIMARY_OOB_OTP_EMAIL_FAILED | Authentication using the OTP sent via email failed |
| AUTHENTICATION_PRIMARY_OOB_OTP_SMS_FAILED | Authentication using the OTP sent via SMS failed |
| AUTHENTICATION_PRIMARY_PASSWORD_FAILED | A user entered an invalid password during a login attempt |
| AUTHENTICATION_SECONDARY_OOB_OTP_EMAIL_FAILED | 2FA via email failed |
| AUTHENTICATION_SECONDARY_OOB_OTP_SMS_FAILED | 2FA via SMS failed |
| AUTHENTICATION_SECONDARY_PASSWORD_FAILED | Secondary authentication using password failed |
| AUTHENTICATION_SECONDARY_RECOVERY_CODE_FAILED | Recovery code verification failed |
| AUTHENTICATION_SECONDARY_TOTP_FAILED | A 2FA attempt failed |
| Activity type | Description |
|---|---|
| IDENTITY_BIOMETRIC_DISABLED | Biometric login is disabled by a user or an admin |
| IDENTITY_BIOMETRIC_ENABLED | User enabled biometric login |
| IDENTITY_EMAIL_ADDED | A user or admin added a new email to an existing user |
| IDENTITY_EMAIL_REMOVED | An email address was removed from an existing user's profile |
| IDENTITY_EMAIL_UPDATED | A user updated their email address |
| IDENTITY_OAUTH_CONNECTED | A profile is linked to OAuth |
| IDENTITY_OAUTH_DISCONNECTED | A profile is unlinked from OAuth |
| IDENTITY_PHONE_ADDED | A user or admin added a new phone number to an existing user |
| IDENTITY_PHONE_REMOVED | A phone number was removed from an existing user's profile |
| IDENTITY_PHONE_UPDATED | A user updated their phone number |
| IDENTITY_USERNAME_ADDED | A user or admin added a new username to an existing user |
| IDENTITY_USERNAME_REMOVED | A user or admin removed the username for a user |
| IDENTITY_USERNAME_UPDATED | The username for a user was updated |
| Activity type | Description |
|---|---|
| USER_ANONYMOUS_PROMOTED | This event is triggered when an anonymous user is promoted to a normal user |
| USER_AUTHENTICATED | Successful user sign-in |
| USER_CREATED | A new user successfully registered |
| USER_DELETED | A user account is deleted |
| USER_DELETION_SCHEDULED | A user account deletion is scheduled |
| USER_DELETION_UNSCHEDULED | A previously scheduled user deletion is unscheduled |
| USER_DISABLED | User account disabled. An admin disabling a users account can trigger this event |
| USER_PROFILE_UPDATED | A user updated details like their profile name, gender and more |
| USER_REENABLED | A user account that was previously disabled is enabled |
| USER_SESSION_TERMINATED | An active user session is terminated |
| USER_SIGNED_OUT | A user that was signed in logged out |
| Activity type | Description |
|---|---|
| WHATSAPP_OTP_VERIFIED | User completed a verification process using WhatsApp to receive OTP |
| SMS_SENT | An SMS notification like OTP was sent to a user |
| EMAIL_SENT | An email notice like verification code was sent to a user |
Each audit log event contains the following attributes in their data
| Attribute | Description |
|---|---|
id | Unique identifier of the event |
seq | Sequence number of the event |
type | Activity type |
context | The who, when and where of the event triggered. e.g. IP address, user agent, user ID, timestamp |
payload | Relevant data according to the event type: Messaging (SMS, Email OTP): the phone number/email address of the receiver Authentication/Identity/User actions: a snapshot of the related session and user attributes |