Skip to content

Auth Events and Auditing

Seamless Auth tracks authentication activity through explicit auth event records.

These events are one of the main reasons the system is inspectable by operators instead of behaving like a black box.


User or system action
-> auth event recorded
-> sensitive metadata redacted
-> stored
-> queried by admin and metrics routes

An auth event is a record of something that happened in the auth system.

Common examples include:

  • user_created
  • registration_success
  • verify_otp_success
  • webauthn_registration_success
  • login_failed
  • oauth_login_success
  • totp_verify_success
  • admin_session_revoked
  • admin_device_replacement_recovery
  • request_suspicious
  • bootstrap_admin_granted

Exact event types are implementation details, but the event stream should cover authentication, MFA, OAuth, admin actions, suspicious requests, and recovery flows.


FieldDescription
idEvent ID
user_idAssociated user when available
typeEvent type
ip_addressOrigin IP
user_agentDevice info
metadataAdditional redacted structured context

Auth event metadata must not expose raw secrets or browser-local key material.

Sensitive values include:

  • tokens and refresh tokens
  • OTP values
  • magic-link URLs and tokens
  • OAuth state, codes, provider tokens, and provider client secrets
  • PRF salts and PRF output
  • TOTP secrets
  • private keys
  • raw recovery material

The API redacts sensitive metadata before storing events. Docs should follow the same rule and avoid example payloads that normalize leaking secrets.


Auth events are useful for:

  • debugging auth flows
  • building operator dashboards
  • detecting suspicious activity
  • auditing admin-sensitive flows
  • understanding where auth friction is happening
  • supporting login policy and lockout investigations

You can use auth events to:

  • detect repeated login failures
  • track unusual IP behavior
  • surface suspicious request patterns
  • review bootstrap and admin-related activity
  • investigate OAuth account-linking failures
  • confirm session revocation and device replacement recovery actions

The admin dashboard uses auth event data to power:

  • event browsing
  • grouped event summaries
  • timeseries metrics
  • login success/failure stats
  • anomaly investigation flows
  • user detail audit context

That makes the event stream useful for both debugging and operations.