Audit Events Reference
Complete reference of all audit event types tracked by AuthOS. Events are categorized into organization-level and MFA-specific events.
Organization Audit Events
Organization audit events track administrative actions performed within an organization. These events are accessible via the Organization Audit Logs API.
User Management Events
user.invited
Triggering Action: Team member invitation sent via /api/organizations/{org_slug}/invitations
Description: An invitation to join the organization was created and sent.
Details Payload:
{
"email": "newuser@example.com",
"role": "member",
"invitation_id": "uuid"
}
user.joined
Triggering Action: User accepts invitation via /api/invitations/{token}/accept
Description: A user accepted an invitation and joined the organization.
Details Payload:
{
"invitation_id": "uuid",
"user_email": "user@example.com"
}
user.removed
Triggering Action: Member removed via /api/organizations/{org_slug}/members/{user_id}
Description: A user was removed from the organization.
Details Payload:
{
"user_email": "removed@example.com",
"reason": "voluntary_leave"
}
user.role_updated
Triggering Action: Member role updated via /api/organizations/{org_slug}/members/{user_id}/role
Description: A user’s role within the organization was changed.
Details Payload:
{
"user_email": "user@example.com",
"old_role": "member",
"new_role": "admin"
}
user.anonymized
Triggering Action: User data anonymization via Privacy API /api/privacy/forget/:user_id
Description: A user’s personal data was anonymized in compliance with GDPR Right to be Forgotten.
Details Payload:
{
"user_id": "uuid",
"anonymized_fields": ["email", "name", "oauth_identities"]
}
Service Management Events
service.created
Triggering Action: Service created via /api/organizations/{org_slug}/services
Description: A new service was created within the organization.
Details Payload:
{
"service_slug": "main-app",
"service_name": "Main Application",
"service_type": "web",
"client_id": "uuid"
}
service.updated
Triggering Action: Service updated via /api/services/{service_slug}
Description: Service configuration was modified.
Details Payload:
{
"service_slug": "main-app",
"updated_fields": ["name", "redirect_uris"],
"old_name": "Old App Name",
"new_name": "New App Name"
}
service.deleted
Triggering Action: Service deleted via /api/services/{service_slug}
Description: A service was permanently deleted from the organization.
Details Payload:
{
"service_slug": "old-app",
"service_name": "Old Application"
}
service.oauth_credentials.updated
Triggering Action: OAuth credentials configured via /api/organizations/{org_slug}/oauth-credentials/{provider}
Description: BYOO (Bring Your Own OAuth) credentials were configured for a service.
Details Payload:
{
"provider": "github",
"service_slug": "main-app",
"has_credentials": true
}
Organization Management Events
organization.updated
Triggering Action: Organization details updated via /api/organizations/{org_slug}
Description: Organization profile or settings were modified.
Details Payload:
{
"updated_fields": ["name", "website"],
"old_name": "Old Company Name",
"new_name": "New Company Name"
}
organization.smtp.configured
Triggering Action: SMTP settings configured via /api/organizations/{org_slug}/smtp
Description: Custom SMTP email server was configured for the organization.
Details Payload:
{
"smtp_host": "smtp.example.com",
"smtp_port": 587,
"smtp_from_email": "noreply@example.com"
}
organization.smtp.removed
Triggering Action: SMTP settings deleted via /api/organizations/{org_slug}/smtp
Description: Custom SMTP configuration was removed, reverting to default email delivery.
Details Payload:
{
"smtp_host": "smtp.example.com"
}
Plan and Subscription Events
plan.created
Triggering Action: Subscription plan created via /api/services/{service_slug}/plans
Description: A new subscription plan was created for a service.
Details Payload:
{
"plan_name": "Premium",
"plan_slug": "premium",
"service_slug": "main-app",
"is_paid": true
}
plan.updated
Triggering Action: Plan details updated via /api/services/{service_slug}/plans/{plan_slug}
Description: Subscription plan configuration was modified.
Details Payload:
{
"plan_slug": "premium",
"updated_fields": ["price", "features"],
"old_price": 9.99,
"new_price": 14.99
}
plan.deleted
Triggering Action: Plan deleted via /api/services/{service_slug}/plans/{plan_slug}
Description: A subscription plan was removed.
Details Payload:
{
"plan_slug": "deprecated-plan",
"plan_name": "Deprecated Plan"
}
subscription.created
Triggering Action: User subscribes to a plan via Stripe integration
Description: A user created a new subscription to a service plan.
Details Payload:
{
"user_email": "user@example.com",
"plan_slug": "premium",
"stripe_subscription_id": "sub_1234567890"
}
subscription.updated
Triggering Action: Subscription modified via Stripe webhook
Description: A subscription was updated (plan change, payment method update).
Details Payload:
{
"subscription_id": "uuid",
"old_plan": "basic",
"new_plan": "premium",
"change_type": "upgrade"
}
subscription.canceled
Triggering Action: Subscription canceled via Stripe webhook or API
Description: A user’s subscription was canceled.
Details Payload:
{
"subscription_id": "uuid",
"plan_slug": "premium",
"cancellation_reason": "user_requested"
}
Invitation Management Events
invitation.accepted
Triggering Action: User accepts invitation via /api/invitations/{token}/accept
Description: An invitation was accepted by the recipient.
Details Payload:
{
"invitation_id": "uuid",
"invitee_email": "newuser@example.com"
}
invitation.declined
Triggering Action: User declines invitation via /api/invitations/{token}/decline
Description: An invitation was explicitly declined by the recipient.
Details Payload:
{
"invitation_id": "uuid",
"invitee_email": "user@example.com"
}
invitation.expired
Triggering Action: System cleanup job or expired invitation access attempt
Description: An invitation expired without being accepted or declined.
Details Payload:
{
"invitation_id": "uuid",
"invitee_email": "expired@example.com",
"expired_at": "2025-01-15T10:30:00Z"
}
invitation.revoked
Triggering Action: Admin revokes invitation via /api/organizations/{org_slug}/invitations/{id}
Description: An invitation was revoked by an administrator before acceptance.
Details Payload:
{
"invitation_id": "uuid",
"invitee_email": "revoked@example.com",
"revoked_by": "admin@example.com"
}
Security Events
security.mfa.enabled
Triggering Action: User enables MFA via /api/user/mfa/enable
Description: Multi-factor authentication was enabled for a user account.
Details Payload:
{
"user_email": "user@example.com",
"method": "totp"
}
security.mfa.disabled
Triggering Action: User disables MFA via /api/user/mfa/disable
Description: Multi-factor authentication was disabled for a user account.
Details Payload:
{
"user_email": "user@example.com",
"disabled_by_admin": false
}
security.password.changed
Triggering Action: Password reset via /api/auth/reset-password
Description: A user’s password was changed.
Details Payload:
{
"user_email": "user@example.com",
"reset_method": "email_link"
}
API Key Management Events
api_key.created
Triggering Action: API key created via /api/organizations/{org_slug}/services/{service_slug}/api-keys
Description: A new service API key was generated.
Details Payload:
{
"service_slug": "main-app",
"key_name": "Production Server Key",
"permissions": ["read:users", "write:users"]
}
api_key.deleted
Triggering Action: API key revoked via /api/organizations/{org_slug}/services/{service_slug}/api-keys/{key_id}
Description: A service API key was permanently revoked.
Details Payload:
{
"service_slug": "main-app",
"key_name": "Old Server Key",
"key_id": "uuid"
}
Custom Domain and Branding Events
domain.set
Triggering Action: Custom domain configured via organization domain settings
Description: A custom domain was configured for the organization.
Details Payload:
{
"domain": "auth.example.com",
"verification_status": "pending"
}
domain.verified
Triggering Action: DNS verification completed via background job
Description: Custom domain DNS verification succeeded.
Details Payload:
{
"domain": "auth.example.com",
"verification_method": "dns_txt"
}
domain.deleted
Triggering Action: Custom domain removed via organization domain settings
Description: A custom domain configuration was removed.
Details Payload:
{
"domain": "auth.example.com"
}
branding.updated
Triggering Action: Branding settings updated via organization branding API
Description: Organization branding (logo, colors, theme) was modified.
Details Payload:
{
"updated_fields": ["logo_url", "primary_color"],
"primary_color": "#3b82f6"
}
MFA Audit Events
MFA audit events track multi-factor authentication activities for individual users. These events are stored separately in the MFA audit log.
MFA Setup Events
mfa_setup_initiated
Triggering Action: User starts MFA setup via /api/user/mfa/setup
Description: MFA setup process was initiated.
Details Payload:
{}
mfa_setup_completed
Triggering Action: User completes MFA setup via /api/user/mfa/enable
Description: MFA setup was successfully completed.
Details Payload:
{
"method": "totp"
}
mfa_setup_failed
Triggering Action: MFA setup fails due to invalid code
Description: MFA setup attempt failed.
Details Payload:
{
"reason": "invalid_verification_code"
}
MFA Management Events
mfa_enabled
Triggering Action: MFA enabled via /api/user/mfa/enable
Description: Multi-factor authentication was successfully enabled.
Details Payload:
{
"method": "totp"
}
mfa_disabled
Triggering Action: User disables MFA via /api/user/mfa/disable
Description: Multi-factor authentication was disabled by the user.
Details Payload:
{
"disabled_by_admin": false
}
mfa_force_disabled_by_admin
Triggering Action: Admin disables user’s MFA via admin API
Description: MFA was forcibly disabled by an administrator.
Details Payload:
{
"disabled_by_admin": true,
"admin_user_id": "admin-uuid"
}
MFA Verification Events
mfa_verify_attempt
Triggering Action: User attempts MFA verification during login
Description: An MFA verification attempt was made.
Details Payload:
{
"verification_type": "totp"
}
mfa_verify_success
Triggering Action: Successful MFA verification via /api/auth/mfa/verify
Description: MFA code was successfully verified.
Details Payload:
{
"verification_type": "totp"
}
mfa_verify_failed
Triggering Action: Failed MFA verification attempt
Description: MFA verification failed.
Details Payload:
{
"verification_type": "totp",
"reason": "invalid_code"
}
Backup Code Events
backup_codes_generated
Triggering Action: Backup codes generated via /api/user/mfa/backup-codes/regenerate
Description: New MFA backup codes were generated.
Details Payload:
{
"code_count": 10
}
backup_code_used
Triggering Action: User authenticates using backup code
Description: An MFA backup code was used for authentication.
Details Payload:
{
"backup_code_id": "uuid"
}
Using Audit Events
Filtering by Event Type
Retrieve audit logs for specific event types:
GET /api/organizations/{org_slug}/audit-log?action=service.created&limit=50
Event Target Types
Common target types in organization audit events:
user- User management actionsservice- Service configuration changesorganization- Organization-level settingsplan- Subscription plan managementsubscription- User subscription eventsinvitation- Team invitation lifecycleapi_key- API key managementdomain- Custom domain configurationbranding- Branding and theme settings
Compliance Use Cases
SOC 2 Compliance
Monitor administrative changes:
# Track all user access changes
GET /api/organizations/{org_slug}/audit-log?action=user.role_updated
# Track security configuration changes
GET /api/organizations/{org_slug}/audit-log?action=security.*
GDPR Data Access Requests
Find all actions performed by or affecting a user:
# As target
GET /api/organizations/{org_slug}/audit-log?target_type=user&target_id={user_id}
# As actor
GET /api/organizations/{org_slug}/audit-log?actor_user_id={user_id}
Security Incident Investigation
Identify suspicious activity:
# Recent failed MFA attempts
GET /api/organizations/{org_slug}/audit-log?action=mfa_verify_failed&limit=100
# Recent API key operations
GET /api/organizations/{org_slug}/audit-log?action=api_key.*
Related Documentation
- Organization Audit Logs API - Retrieving audit logs via API
- Organization Management - Organization administration
- User Management - User profile and MFA management