Audit Events

Descope exposes a set of audit events that you can query through the Descope UI, and also using the SDK. The audit events document Descoper and also end-user activity, providing the visibility you need to ensure your Descope project is traced, monitored, and secured. We cover this topic more thoroughly in this article.

Audit Events

Note

When the action performed is considered sensitive, the type is defined as "Warning".

NameTypeMore information
UserCreatedInformationIf self registration is available, the "Actor ID" will be the same as the "User ID". Otherwise, the actor will be the Descoper or the used Management Key.
UsersCreatedInformationMultiple users created.
UserDeletedInformationUser deleted.
UserModifiedInformationUser modified.
UsersModifiedInformationMultiple users modified.
UsersDeletedInformationMultiple users deleted.
AccessKeyCreatedInformationAccess key created.
AccessKeyDeletedInformationAccess key deleted.
AccessKeyModifiedInformationAccess key modified.
AccessKeysDeletedInformationMultiple Access Keys Deleted.
LoginSucceedInformationIf impersonation was performed, the "Method" field will be "Impersonate".
LoginFailedWarningReason for failure is shown inside the "Data" section, under "error_message".
LoginExceedMaxAttemptsWarningIndicates that max attempts for user has been reached, user is disabled.
LoginStartedInformationIndicates that a login process has started for multi-step authentication methods, like SSO, passkey, OTP and more.
LoginStartedFailedWarningIndicates that the LoginStarted event had failed. When the user did not complete the process correctly, or there is a problem with the authentication setup.
UserRefreshInformationOnly available in verbose mode.
ProjectDeletedWarningProject deleted.
PermissionCreatedInformationPermission created.
PermissionModifiedInformationPermission modified. "Data" contains the "permission_id" that has been affected.
PermissionDeletedWarningPermission deleted. "Data" contains the "permission_id" that has been affected.
RoleCreatedInformationRole created.
RoleModifiedInformationRole modified. "Data" contains the "role_id" that has been affected.
RolesDeletedWarningRole deleted. "Data" contains the "role_id" that has been affected.
RolesImportedWarningRole imported. "Data" contains the "role_id" that has been affected.
ProjectSettingsInformationProject Settings modified.
TenantSettingsInformationContains the tenant's ID in the "data" section.
MagicLinkSettingsInformationMagic Link related settings were changed.
EnchantedLinkSettingsInformationEnchanted Link related settings were changed.
OTPSettingsInformationOTP related settings were changed.
SAMLSettingsInformationSAML related settings were changed.
OAUTHSettingsInformationOAuth related settings were changed.
WebauthnSettingsInformationWebauthn related settings were changed.
TOTPSettingsInformationTOTP related settings were changed.
MessageProviderSettingsInformationMessage Provider related settings were changed.
PasswordSettingsInformationPassword Settings / Policy Changed.
CustomAttributeAddedInformationCustom Attribute created.
CustomAttributeDeletedInformationCustom Attribute deleted.
ConnectorModifiedInformationA connector has been modified.
ConnectorCreatedInformationA connector has been created.
ConnectorDeletedInformationA connector has been deleted.
CustomAttributesMissingErrorMissing User / Tenant Custom Attribute. This indicates that the tenant or user selected does not have the required attribute that was used inside a flow / SDK.
TenantDeletedInformationA tenant has been deleted.
TenantCreatedInformationA tenant has been created.
TenantCustomAttributeModifiedInformationA Tenant's custom attribute has been modified.
TenantDomainModifiedInformationA tenant's email domain has been modified.
TenantProvisioningModifiedInformationA Tenant's Provisioning Settings has been modified.
TenantCustomAttributeAddedInformationA Tenant's custom attribute has been added.
TenantCustomAttributeDeletedInformationA Tenant's custom attribute has been deleted.
FlowsDeletedInformationContains the flow id & name that has been deleted in the data.
ThemeUpdatedInformationA theme has been updated.
FlowCreatedInformationContains the flow id & name that has been created in the data.
FlowUpdatedInformationContains the flow id & name that has been changed in the data.
CreatePasswordInformationA password has been created for a user.
ChangePasswordInformationA password has been changed for a user.
ExpirePasswordInformationA password has been expired for a user.
RemovePasskeysInformationA passkey has been removed for a user.
SignKeyGeneratedRevokedInformationThe project's JWK (signing key for validating JWTs) has been rotated.
SSOConfigurationLinkGeneratedInformationSSO configuration link was generated. The generated link can be found inside data under "link". The link's expiration time can be found inside data under "expiration_time".
SSOConfigurationLinkRevokedInformationSSO configuration link was revoked. The revoked link can be found inside data under "link".

Fields

  • Actor ID - contains the user that performed the action on the entity/ies in case it was done by a Descoper. If the action was performed by SDK, the "Actor ID" will contain the management key that is linked to the management action.
  • User ID - The destination user that the action was performed on.
  • Action - The action performed.
  • Occurred - Date of occurrence.
  • Device - The source device of the action, could be "Desktop", "Mobile", etc. Can also reflect the SDK that was used - e.g. "NodeJS".
  • Method - The authentication method used.
  • Remote Address - IP address (v4/v6) of the origin of the request.
  • Login IDs - The primary identification for the authentication.
  • Country - Origin of the request, most of the times, bound to the IP Address.
  • Data - Holds the entire request sent to Descope's API in a JSON format. Displays raw information about the entire request including more details about the user, their device, the flow ID and execution ID, etc.
  • SP SAML / OIDC request - Only For LoginStarted Event. Contains details of the SP request initiated by Descope for SSO.
  • IdP SAML / OIDC response - Only for LoginSucceed / LoginFailed events. Contains the IdP response for SSO.
  • Generated user from IdP SAML / OIDC response - Only for LoginSucceed. Contains the generated user object from the IdP response for SSO.
  • Generated roles from IdP SAML / OIDC response - Only for LoginSucceed. Contains the generated roles from the IdP response for SSO.

Verbose

The "Verbose" option allows the "User Refresh" event to be audited, which is not audited by default.

Creating Custom Audit Events

At some point in your customer's lifecycle, you will need to add more and more events to support your product's transparency. With Descope, you can create audit events using the Management API.

Shipping Logs

You can use our out-of-the-box connectors to ship the audit event to different third-party applications, such as DataDog, Segment and HubSpot to orchestrate the user journey.

Audit Widget

When your project supports multiple tenants, Descope lets you hand over the audit logs to your customers using the audit log management widget. This widget helps you automate exposing this kind of audit logs to your customers by embedding an out-of-the-box component in your app. To read more about the widget, click here.

Correlating audit and troubleshooting logs

When debugging issues that users might face, it is crucial to know the context of the user’s actions, whether they tried to log in with a specific authentication method or even if they reached the point in the flow where OTP is involved. The troubleshooting logs contain a ‘Flow execution ID.’ Matching this value with the audit’s ‘correlation_id’ (inside the data field) is a powerful tool that provides you with the context of what the user did and where they encountered an issue, making your troubleshooting process more efficient

Was this helpful?

On this page