Operate

Audit Logs

4 min read·Updated Apr 29, 2026

The Logs tab (sometimes called Trail Log internally) is the per-application audit trail. Every sign-in, role change, MFA reset, API key rotation, OAuth-provider edit — anything that affects state — lands here. It's the page you open during a security investigation and the page you ship to compliance auditors.

┌──────────┬───────────────────────────────────────────────┬───────┬──────────┐
│ Time     │ Event                                         │ Actor │ Result   │
├──────────┼───────────────────────────────────────────────┼───────┼──────────┤
│ 10:42:18 │ POST /oauth2/token (refresh_token)            │ alice │ 200 OK   │
│ 10:39:01 │ POST /api/v1/users/{id}/mfa/reset             │ admin │ 200 OK   │
│ 10:38:55 │ POST /oauth2/token (authorization_code)       │ alice │ 200 OK   │
│ 10:38:49 │ GET  /oauth2/authorize  (PKCE, S256)          │ —     │ 302      │
│ 10:36:11 │ POST /auth/password/login  (failed)           │ alice │ 401      │
└──────────┴───────────────────────────────────────────────┴───────┴──────────┘

The page is a three-pane layout: filters on the left, an event table in the middle, a detail panel on the right when you select a row.

Where it lives#

Dashboard → Application → Logs. The header shows the total event count, a search box, a Live toggle (5-second polling for tail-the-stream usage), and a Refresh button.

Filters#

The left sidebar has:

Range	When to use
`30m` (default)	Real-time investigation — what just happened?
`1h`, `3h`, `6h`, `12h`	Same incident, broader window.
`24h`	"Did anything weird happen overnight?"
`3d`, `7d`	Compliance review, weekly summary.

Filter	Includes
`warning`	All warnings and above.
`error`	Errors and fatal.
`fatal`	Fatal only — service-level failures.

Field	What it is
Event ID	Unique identifier — quote this in support tickets.
Description	Full description, including any context the handler emitted.
Actor	User ID, email, IP address, user agent.
Resource	The object that was acted on (`users/abc`, `roles/xyz`, `applications/{appId}`).
Method + Path	The HTTP request that triggered the event.
Status	HTTP status returned.
Tenant	When the event was tenant-scoped.
Metadata	A JSON object with handler-specific extras: previous role, new role, password complexity, MFA method chosen, etc.

Category	Examples
Authentication	Login success/fail, MFA challenge, MFA pass/fail, magic-link request, OAuth callback, password reset, signup start/complete, lockout.
Identity	User created/suspended/activated/deleted, MFA reset, session revoked, password changed.
Authorization	Role created/updated/deleted, role assignment/unassignment, policy changed, permission check (failures only by default).
Configuration	Auth provider enabled/disabled, branding updated, custom domain added, email template changed.
Credentials	API key created/rotated/revoked, M2M credential lifecycle.
OAuth	Authorize requests, token exchanges (success and failure), token revocations.

Tier	Retention
Default	90 days
Pro	180 days
Enterprise	365 days, or custom

Audit Logs

Where it lives#

Filters#

Time range#

Severity#

Reset#

Search#

What's in an event#

Live tail#

What gets logged#

API queries#

Retention#

Practical tips#

Next steps#