The full taxonomy of audit event types your tenant emits. Closed set; new types ship in minor releases (additive only; existing types never rename or remove).
Each event has a type (the string you filter on) + a data payload (operation-specific fields).
Authentication family
Section titled “Authentication family”Sign-in, sign-out, MFA, session lifecycle.
| Type | When |
|---|---|
user.signed_in | A user successfully signed in. data includes amr (auth methods used), acr (AAL level). |
user.signed_in.failed | Sign-in attempt failed. data includes the email submitted + the error code. |
user.signed_out | Sign-out via /oauth2/logout or in-app logout. |
user.session_revoked | A session was revoked (by user, by admin, by reuse detection). |
user.mfa_required | The sign-in reached the MFA step. data includes available_factors. |
user.mfa_succeeded | MFA challenge succeeded. data includes which factor was used. |
user.mfa_failed | MFA challenge rejected. data includes the factor + reason. |
User-lifecycle family
Section titled “User-lifecycle family”User record changes.
| Type | When |
|---|---|
user.created | New user record created (via signup, admin create, bulk import, SSO JIT). |
user.updated | Profile or attribute edit. data includes the diff. |
user.disabled / user.enabled | Soft state toggle. |
user.deleted | Hard delete. |
user.email_verified | A pending email verification completed. |
user.email_change_requested / user.email_change_completed | Email change flow. |
user.password_reset_requested / user.password_reset_completed | Password reset flow. |
user.password_set_by_admin | An admin directly set a password. data.temporary flag. |
user.force_password_reset_set | An admin marked the user as requiring a password reset on next sign-in. |
user.invited / user.invitation_accepted / user.invitation_revoked | Invitation lifecycle. |
user.bulk_imported / user.bulk_exported | Bulk operations. |
MFA-factor family
Section titled “MFA-factor family”Factor enrolment + management.
| Type | When |
|---|---|
mfa.factor_enrolled | New factor enrolled. data.factor includes kind + id. |
mfa.factor_removed | Factor removed by user or admin. |
mfa.factor_admin_reset | Admin force-reset removed all factors. |
mfa.backup_codes_regenerated | User regenerated backup codes. |
Application family
Section titled “Application family”OAuth/OIDC application records.
| Type | When |
|---|---|
application.created | New application registered. |
application.updated | Configuration edit. data includes the diff. |
application.disabled / application.enabled | State toggle. |
application.deleted | Hard delete. |
application.secret_rotated | Client secret rotated. data includes the previous_expires_at timestamp. |
application.token_settings_updated | Per-application access / id / refresh token TTL or rotation policy was edited. data includes the diff against the previous setting and the application id. |
application.saml_config_updated | The application's SAML configuration was edited (entity id, ACS URL, NameID format, attribute mapping, signing prefs). data includes the diff. |
application.saml_cert_rotated | Admin started a SAML signing-cert rotation. data includes the new cert fingerprint, the deadline by which finalisation must run, and whether the old cert is still active during the overlap window. |
application.saml_cert_finalized | Admin finalised the rotation; the old signing cert is now revoked and only the new cert validates. data includes the finalised cert fingerprint. |
application.saml_cert_revoked | Admin revoked the active SAML signing cert outside of a rotation (emergency revoke). The application is disabled as part of the same operation. data includes the reason if supplied. |
application.bulk_operation | Bulk disable / enable / delete. |
Federation family
Section titled “Federation family”OIDC + SAML connections.
| Type | When |
|---|---|
federation.connection_added / _updated / _disabled / _deleted | Connection lifecycle. |
federation.metadata_refreshed | The platform refreshed the IdP metadata (e.g., for cert rotation). |
federation.sso_completed | A user successfully signed in via a federation connection. |
federation.sso_failed | A federated sign-in failed. data includes the SAML / OIDC error code. |
Admin operations family
Section titled “Admin operations family”Tenant-admin operations on the platform.
| Type | When |
|---|---|
admin.member_invited / admin.member_removed / admin.member_role_changed | Tenant admin membership changes. |
admin.policy_updated | Authentication / MFA / password / audit policy edits. data includes which policy + the diff. |
admin.role_created / admin.role_updated / admin.role_deleted | Custom role lifecycle. |
admin.knob_set | A tenant setting was changed. data includes the knob name + new value. |
knob.override_set | An admin set or cleared a tenant-scoped override for a knob whose default comes from the plan. data includes the knob slug, the previous effective value, the new value, and whether the override clears back to the plan default. Emitted alongside admin.knob_set; the override event carries the plan-vs-tenant resolution context the bare knob set doesn't. |
Flow + Action family
Section titled “Flow + Action family”Custom-logic surface.
| Type | When |
|---|---|
flow.action_attached | Action added to a flow slot. |
flow.action_detached | Action removed. |
flow.action_updated | Action config changed within a flow slot. |
flow.action_executed | Action ran. data includes outcome + duration + logs. |
flow.action_published | A new Action version was published. |
flow.run_completed | A flow run completed. data includes per-step outcomes. |
Branding family
Section titled “Branding family”| Type | When |
|---|---|
branding.logo_updated / branding.favicon_updated | Visual asset uploads. |
branding.theme_colors_updated | Colour pickers saved. |
branding.custom_css_updated | CSS pasted + saved. |
branding.email_template_updated | Email template edits. |
Security family
Section titled “Security family”Auto-detected security events.
| Type | When |
|---|---|
security.brute_force_detected | Rate-limit / lockout triggered for a user or IP. |
security.token_reuse_detected | A refresh token was used twice. The token family was invalidated. |
security.rate_limit_hit | A non-brute-force rate limit was triggered. |
security.breach_incident_opened / _resolved | A breach-feed match against a user. |
security.threat_feed_hit | A sign-in attempt's IP matched a configured threat feed. |
security.captcha_required / security.captcha_passed / security.captcha_failed | Captcha challenges. |
Audit-of-audit family
Section titled “Audit-of-audit family”Audit log meta-operations.
| Type | When |
|---|---|
audit.exported | A bulk audit export was triggered. |
audit.stream_destination_created / _updated / _disabled / _deleted | Stream destination lifecycle. |
audit.stream_event_delivered / _failed | Individual stream delivery attempts (high volume — usually filter out unless investigating stream health). |
audit.stream_buffer_full | A destination's buffer overflowed; events were dropped. |
OAuth family
Section titled “OAuth family”OAuth-protocol-level events.
| Type | When |
|---|---|
oauth.token_issued | A token was minted. data includes grant_type + audience + scopes granted. |
oauth.token_refreshed | A refresh-token grant succeeded. |
oauth.token_revoked | A token was explicitly revoked. |
oauth.token_request_failed | A token request failed. data includes the error code. |
oauth.token_exchange_completed | A token-exchange grant succeeded. |
Field shapes
Section titled “Field shapes”All events share the envelope (id, type, occurred_at, actor, target, outcome, data, context). The data field is type-specific — see the full per-type schema in the export's JSON or the developer-side audit reference.
For filtering, the type string is the primary handle. For correlation, the request_id in context threads related events together.
Adding new event types
Section titled “Adding new event types”The platform adds event types over time. The taxonomy is append-only — existing types never rename or remove. New event types appear in:
- The Audit → Read logs filter picker (auto-populated from emitted events).
- The developer-side audit-events reference.
- The release notes.
If your downstream code matches on event-type strings, treat unknown types as "log and ignore" — never throw on an unrecognised type.