Skip to contentSkip to navigation

Audit Logs

Audit logs record who performed an authentication action, who or what it affected, when it happened, and the available request context. Own Auth writes these events automatically as part of each supported operation.

Recorded events

EventRecorded when
user.signed_upA user signs up or is created through an external provider.
user.signed_inA user signs in with a password, magic link, phone code, or external provider.
user.signed_outA user signs out with a session token.
user.disabledA user account is disabled.
user.re_enabledA disabled account is enabled again.
external_provider.linkedAn Apple or Google account is linked to a user.
session.createdA session is created.
session.revokedOne session is revoked during signout or from a session list.
session.revoked_otherEvery session except the current one is revoked.
session.revoked_allEvery session for a user is revoked.
magic_link.requestedA magic-link email is requested.
magic_link.usedA magic link is consumed to sign in.
email_verification.requestedAn email-verification link is requested.
email.verifiedAn email-verification link is consumed.
sms_otp.sentAn SMS code is sent.
sms_otp.verifiedAn SMS code is verified.
phone.verifiedA user's phone number is marked as verified.
password_reset.requestedA password-reset link is requested.
password.changedA password is changed or reset.
api_key.createdAn application API key is created.
api_key.usedAn application API key authenticates a request.
api_key.revokedAn application API key is revoked.
organisation.createdAn organisation is created.
organisation.deletedAn organisation is permanently deleted by its owner.
organisation.updatedAn organisation is updated.
member.invitedAn organisation invitation is created.
invite.acceptedAn organisation invitation is accepted.
invite.revokedAn organisation invitation is revoked.
member.removedA member is removed from an organisation.
member.role_changedA member's organisation role is changed.

Own Auth does not currently write events when sessions merely expire or when a rate limit rejects a request.

Audit event fields

Each AuditEvent contains:

FieldDescription
idUnique event ID.
eventTypeOne of the recorded event names above.
actorUserIdThe user who performed the action, when known.
targetUserIdThe user affected by the action, when known.
organisationIdThe related organisation, when applicable.
apiKeyIdThe related API-key record, when applicable.
ipAddressRequest IP address when supplied through request.
userAgentUser-Agent value when supplied through request.
metadataEvent-specific structured data.
createdAtThe time the event was written.

Query audit logs

Use listAuditEvents. Results are returned as an array with the newest events first.

ts
const events = await auth.listAuditEvents({
  actorUserId: currentUser.id,
});

Filter by API key:

ts
const events = await auth.listAuditEvents({
  actorUserId: currentUser.id,
  apiKeyId,
});

Filters can be combined:

ts
const events = await auth.listAuditEvents({
  userId,
  organisationId,
  apiKeyId,
  actorUserId: currentUser.id,
});

actorUserId is required. The available filters are userId, organisationId, and apiKeyId. A user filter matches events where that user is either the actor or the target. Without an organisation filter, users can read only their own events.

listAuditEvents does not currently support event-type filters, date ranges, limits, offsets, cursors, or total counts.

Response

ts
const [event] = await auth.listAuditEvents({
  actorUserId: currentUser.id,
});

// event -> {
//   id: "evt_...",
//   eventType: "session.created",
//   actorUserId: "usr_...",
//   targetUserId: "usr_...",
//   organisationId: null,
//   apiKeyId: null,
//   ipAddress: "203.0.113.42",
//   userAgent: "Mozilla/5.0...",
//   metadata: { sessionId: "ses_..." },
//   createdAt: Date,
// }

Organisation audit logs

Pass the signed-in user as the actor when loading organisation events:

ts
const events = await auth.listAuditEvents({
  organisationId,
  actorUserId: currentUser.id,
});

Own Auth checks the actor's active membership and view_audit_events permission before returning organisation events.

Request context

Pass request context to auth methods when the audit trail should include an IP address and user agent:

ts
await auth.signInEmailPassword({
  email,
  password,
  request: {
    ipAddress: req.ip,
    userAgent: req.headers["user-agent"],
  },
});

When request context is omitted, ipAddress and userAgent are stored as null.

Event metadata

Metadata depends on the event:

EventExample metadata
session.created{ sessionId: "ses_..." }
session.revoked{ reason: "user_logout" } or { reason: "user_revoked", sessionId: "ses_..." }
session.revoked_all{ reason: "password_reset", revoked: 3 }
user.signed_in{ method: "magic_link" } or { method: "phone_otp" } when applicable
external_provider.linked{ provider: "google" }
sms_otp.sent{ purpose: "phone_login", otpId: "otp_..." }
api_key.created{ name: "Production", scopes: ["reports:read"] }
api_key.used{ requiredScopes: ["reports:read"] }
organisation.created{ name: "Acme", slug: "acme" }
organisation.deleted{ organisationId: "org_...", name: "Acme", slug: "acme", membersRemoved: 3, apiKeysRemoved: 2, invitationsRemoved: 1 }
member.invited{ email: "bob@example.com", role: "member", invitationId: "inv_..." }
member.role_changed{ previousRole: "member", role: "owner", ownershipTransferredTo: null }
member.removed{ memberId: "mem_...", role: "owner", ownershipTransferredTo: "usr_..." }

Retention

Audit events remain in own_auth_audit_events until they are removed. Own Auth does not delete them automatically.

Delete events older than a chosen cutoff:

ts
const deleted = await auth.cleanupAuditLogs({
  olderThan: new Date("2025-01-01T00:00:00.000Z"),
});

cleanupAuditLogs permanently deletes every audit event created before olderThan and returns the number deleted.

Next step

Read the full Security Model to understand how the security features work together.