Log Event Type Codes
The following table lists the codes associated with each log event. If you want to learn more about log event schemas, you can reference our GitHub repo.
| Event Code | Event | Event Description |
|---|---|---|
api_limit |
Rate Limit on the Authentication or Management APIs | The maximum number of requests to the Authentication or Management APIs in a given time has been reached. |
appi |
Notice for API Peak Performance initiated | Increases the Elevated Public Authentication API Limits by the 100 RPS multiple purchased by the customer for up to 48 hours per month. For more information, see Public performance rate limit policy. |
ciba_exchange_failed |
Failed CIBA Exchange | Failed to exchange AuthReqId for Access Token |
ciba_exchange_succeeded |
Successful CIBA Exchange | Successful exchange of AuthReqId for Access Token |
ciba_start_failed |
Failed CIBA Start | Client-Initiated Backchannel Authentication Flow failed to be initiated. |
ciba_start_succeeded |
Successful CIBA Start | Client-Initiated Backchannel Authentication Flow has been successfully initiated. |
cls |
Code/Link Sent | Passwordless login code/link has been sent |
cs |
Code Sent | Passwordless login code has been sent |
depnote |
Deprecation Notice | |
f |
Failed Login | |
fc |
Failed by Connector | |
fce |
Failed Change Email | Failed to change user email |
fco |
Failed by CORS | Origin is not in the Allowed Origins list for the specified application |
fcoa |
Failed cross-origin authentication | |
fcp |
Failed Change Password | |
fcph |
Failed Post Change Password Hook | |
fcpn |
Failed Change Phone Number | |
fcpr |
Failed Change Password Request | |
fcpro |
Failed Connector Provisioning | Failed to provision an AD/LDAP connector |
fcu |
Failed Change Username | Failed to change username |
fd |
Failed Delegation | Failed to generate delegation token |
fdeac |
Failed Device Activation | Failed to activate device. |
fdeaz |
Failed Device Authorization Request | Device authorization request failed. |
fdecc |
User Canceled Device Confirmation | User did not confirm device. |
fdu |
Failed User Deletion | |
feacft |
Failed Exchange | Failed to exchange authorization code for Access Token |
feccft |
Failed Exchange | Failed exchange of Access Token for a Client Credentials Grant |
fede |
Failed Exchange | Failed to exchange Device Code for Access Token |
fens |
Failed Exchange | Failed exchange for Native Social Login |
feoobft |
Failed Exchange | Failed exchange of Password and OOB Challenge for Access Token |
feotpft |
Failed Exchange | Failed exchange of Password and OTP Challenge for Access Token |
fepft |
Failed Exchange | Failed exchange of Password for Access Token |
fepotpft |
Failed Exchange | Failed exchange of Passwordless OTP for Access Token |
fercft |
Failed Exchange | Failed Exchange of Password and MFA Recovery code for Access Token |
ferrt |
Failed Exchange | Failed Exchange of Rotating Refresh Token. This could occur when reuse is detected. |
fertft |
Failed Exchange | Failed Exchange of Refresh Token for Access Token. This could occur if the refresh token is revoked or expired. |
fi |
Failed invite accept | Failed to accept a user invitation. This could happen if the user accepts an invitation using a different email address than provided in the invitation, or due to a system failure while provisioning the invitation. |
flo |
Failed Logout | User logout failed |
fn |
Failed Sending Notification | Failed to send email notification |
fp |
Failed Login (Incorrect Password) | |
fpar |
Failed Pushed Authorization Request | |
fs |
Failed Signup | |
fsa |
Failed Silent Auth | |
fu |
Failed Login (Invalid Email/Username) | |
fui |
Failed users import | Failed to import users |
fv |
Failed Verification Email | Failed to send verification email |
fvr |
Failed Verification Email Request | Failed to process verification email request |
gd_auth_email_verification |
Email Verification Confirmed | Email verification completed successfully |
gd_auth_fail_email_verification |
Email Verification Failed | Email verification failed. |
gd_auth_failed |
MFA Auth failed | Multi-factor authentication failed. This could happen due to a wrong code entered for SMS/Voice/Email/TOTP factors, or a system failure. |
gd_auth_rejected |
MFA Auth rejected | A user rejected a Multi-factor authentication request via push-notification. |
gd_auth_succeed |
MFA Auth success | Multi-factor authentication success. |
gd_enrollment_complete |
MFA enrollment complete | A first time MFA user has successfully enrolled using one of the factors. |
gd_otp_rate_limit_exceed |
Too many MFA failures | A user sends more than 10 requests to their device within one hour. Note that the request limit does not reset upon a successful login event. |
gd_recovery_failed |
Recovery failed | A user enters a wrong recovery code when attempting to authenticate. |
gd_recovery_rate_limit_exceed |
Multi-factor recovery code has failed too many times | A user has entered a wrong recovery code too many times. |
gd_recovery_succeed |
MFA recovery success | A user successfully authenticates with a recovery code. |
gd_send_email |
MFA Email Sent | Email for MFA successfully sent. |
gd_send_email_verification |
Email Verification Sent | Verification email sent successfully. |
gd_send_email_verification_failure |
Email Verification Failed | Email verification failed. |
gd_send_pn |
Push notification sent | Push notification for MFA successfully sent. |
gd_send_pn_failure |
Error Sending MFA Push Notification | Push notification for MFA failed. |
gd_send_sms |
MFA SMS Sent | SMS for MFA successfully sent. |
gd_send_sms_failure |
Error Sending MFA SMS | Attempt to send SMS for MFA failed. |
gd_send_voice |
MFA voice call success | Voice call for MFA successfully made. |
gd_send_voice_failure |
MFA voice call failed | Attempt to make Voice call for MFA failed. |
gd_start_auth |
Second factor started | Second factor authentication event started for MFA. |
gd_start_enroll |
MFA Enroll started | Multi-factor authentication enroll has started. |
gd_start_enroll_failed |
MFA Enrollment Failed | Push to start enrollement failed. |
gd_tenant_update |
Guardian tenant update | |
gd_unenroll |
Unenroll device account | Device used for second factor authentication has been unenrolled. |
gd_update_device_account |
Update device account | Device used for second factor authentication has been updated. |
gd_webauthn_challenge_failed |
WebAuthn browser error | User failed to verify Webauthn factor. |
gd_webauthn_enrollment_failed |
WebAuthn browser error | WebAuthn browser enrollment failed. |
limit_delegation |
Too Many Calls to /delegation | Rate limit exceeded to `/delegation` endpoint |
limit_mu |
Blocked IP Address | An IP address is blocked because it attempted too many failed logins without a successful login. Or an IP address is blocked because it attempted too many sign-ups, whether successful or failed. For more information, see Attack Protection. |
limit_sul |
Blocked Account | A user is temporarily prevented from logging in because they reached the maximum logins per time period from the same IP address. For more information, see Attack Protection. |
limit_wc |
Blocked Account | An IP address is blocked because it reached the maximum failed login attempts into a single account. |
mfar |
MFA Required | A user has been prompted for multi-factor authentication (MFA). When using Adaptive MFA, Auth0 includes details about the risk assessment. Available in only the Resource Owner Password Flow. |
mgmt_api_read |
Management API read Operation | API GET operation returning secrets completed successfully |
oidc_backchannel_logout_failed |
Failed OIDC Back-Channel Logout request | Failed OIDC Back-Channel Logout request |
oidc_backchannel_logout_succeeded |
Successful OIDC Back-Channel Logout request | Successful OIDC Back-Channel Logout request |
organization_member_added |
Organization Member Added | Successfully added member to organization |
pla |
Pre-login assessment | This log is generated before a login and helps in monitoring the behavior of bot detection without having to enable it. |
pwd_leak |
Breached password | Someone behind the IP address ip attempted to login with a leaked password. The pwd_leak tenant log is emitted once per hour per IP address. |
resource_cleanup |
Success Resource Cleanup | Emitted when resources exceeding defined limits were removed. |
s |
Success Login | Successful login event. |
sapi |
Success API Operation | Successful management API write event. |
sce |
Success Change Email | |
scoa |
Success cross-origin authentication | |
scp |
Success Change Password | |
scpn |
Success Change Phone Number | |
scpr |
Success Change Password Request | |
scu |
Success Change Username | |
scv |
Success Credential Validation | Successful credential validation event. |
sd |
Success Delegation | |
sdu |
Success User Deletion | User successfully deleted |
seacft |
Success Exchange | Successful exchange of authorization code for Access Token |
seccft |
Success Exchange | Successful exchange of Access Token for a Client Credentials Grant |
sede |
Success Exchange | Successful exchange of device code for Access Token |
sens |
Success Exchange | Native Social Login |
seoobft |
Success Exchange | Successful exchange of Password and OOB Challenge for Access Token |
seotpft |
Success Exchange | Successful exchange of Password and OTP Challenge for Access Token |
sepft |
Success Exchange | Successful exchange of Password for Access Token |
sepkoobft |
Success Exchange | Successful exchange of Passkey and OOB Challenge for Access Token |
sepkotpft |
Success Exchange | Successful exchange of Passkey and OTP Challenge for Access Token |
sepkrcft |
Success Exchange | Successful exchange of Passkey and MFA Recovery Code for Access Token |
sercft |
Success Exchange | Successful exchange of Password and MFA Recovery code for Access Token |
sertft |
Success Exchange | Successful exchange of Refresh Token for Access Token |
si |
Successfully accepted a user invite | Successfully accepted a user invitation |
signup_pwd_leak |
Breached Password on Signup | Someone behind the IP address ip attempted to signup with a leaked password. |
slo |
Success Logout | User successfully logged out |
srrt |
Success Revocation | Successfully revoked a Refresh Token |
ss |
Success Signup | |
ss_sso_failure |
Failed SS-SSO Operation | Ticket generation/consumption failed; Connection creation/update/enablement failed |
ss_sso_info |
Information from an SS-SSO Operation | Try-connection flow started/completed |
ss_sso_success |
Success SS-SSO Operation | Ticket generated/consumed successfully; Connection created/updated/enabled successfully |
ssa |
Success Silent Auth | |
sui |
Successfully imported users | Successfully imported users |
sv |
Success Verification Email | Successfully consumed email verification link |
svr |
Success Verification Email Request | Successfully called verification email endpoint. Verification email in queue to send. |
ublkdu |
User login block released | User block setup by anomaly detection has been released |
w |
Warning During Login | Filters for logs of type warning during login |
wum |
Warning User Management | Filters for logs of type warning during user management operations |