Payload shape
Every event arrives as a JSON envelope on the configured endpoint. The fields are identical across event types — only the type and the metadata change.
{
"type": "ACCOUNT_WEBAUTHN_CREDENTIAL_ENROLLED",
"eventId": "evt_18Lq...",
"tenantId": "tnt_...",
"createdAt": "2026-06-01T07:23:45.123Z",
"actor": { "tenantUserId": "u_..." },
"resource": { "type": "TenantUser", "id": "u_..." },
"metadata": { "credentialName": "iPhone 16 Pro" }
}The complete event types, organized by domain, are listed below. Browse, or use Cmd / Ctrl + F to jump to a specific code.
Account
Profile, preferences, personal-access tokens.
- ACCOUNT_PROFILE_UPDATE
User-editable profile fields changed (display name, time-zone, locale).
- ACCOUNT_AVATAR_UPDATE
User uploaded or removed their profile picture.
- ACCOUNT_PREFERENCES_UPDATE
Theme, notification, or accessibility preferences changed.
- ACCOUNT_NOTIF_PREFERENCE_UPDATE
Per-channel notification preference (email, in-app) toggled.
- ACCOUNT_PAT_CREATED
A personal-access token was issued.
- ACCOUNT_PAT_REVOKED
A personal-access token was revoked.
- ACCOUNT_LOGIN_ALERT_PREF_UPDATE
Sign-in alert preferences changed.
- ACCOUNT_NOTIF_INBOX_READ
Daily aggregate of inbox-read activity (not per-row).
- ACCOUNT_NOTIF_INBOX_MARKED_READ
Bulk mark-as-read action against the inbox.
- ACCOUNT_AUDIT_LOG_EXPORTED
A workspace administrator exported the audit log.
- ACCOUNT_SECURITY_ALERT_ACKNOWLEDGED
A workspace administrator acknowledged a security alert.
Sessions
Per-session lifecycle + revocation.
- ACCOUNT_SESSION_REVOKED
An individual session was revoked.
- ACCOUNT_SESSIONS_REVOKED_ALL
All sessions for the user were revoked.
Multi-factor authentication
Authenticator app, hardware key, recovery codes.
- ACCOUNT_MFA_ENROLLED
User enrolled a multi-factor method (legacy code; new flows emit ACCOUNT_MFA_DEVICE_ENROLLED).
- ACCOUNT_MFA_DEVICE_ENROLLED
A new authenticator app or hardware key was registered.
- ACCOUNT_MFA_DEVICE_VERIFIED
An enrolled device successfully completed a challenge.
- ACCOUNT_MFA_DEVICE_RENAMED
User renamed an enrolled device.
- ACCOUNT_MFA_DEVICE_REVOKED
An enrolled device was revoked.
- ACCOUNT_MFA_DEVICE_REVOKE_BLOCKED
A revoke attempt was blocked by the last-factor guard.
- ACCOUNT_MFA_RECOVERY_CODES_GENERATED
A new batch of recovery codes was generated.
- ACCOUNT_MFA_RECOVERY_CODE_USED
A recovery code was redeemed for sign-in.
- ACCOUNT_MFA_DISABLED
All MFA was disabled on the account.
- ACCOUNT_MFA_DISABLE_BLOCKED
Disabling MFA was blocked by tenant policy.
- ACCOUNT_MFA_LEGACY_MIGRATED
A legacy single-device enrollment was promoted to the multi-device model.
- TENANT_MFA_POLICY_UPDATED
Workspace MFA policy was updated by an administrator.
- TENANT_MFA_REQUIREMENT_ENFORCED
MFA-required signal applied during sign-in.
- TENANT_MFA_GRACE_GRANTED
A grace period was granted to enroll MFA.
- TENANT_MFA_GRACE_EXPIRED
An MFA grace period elapsed without enrollment.
- TENANT_MFA_ACCEPTED_FACTORS_UPDATED
The list of acceptable MFA factors was changed (e.g. phishing-resistant-only).
WebAuthn / Passkeys
Phishing-resistant credentials.
- ACCOUNT_WEBAUTHN_CREDENTIAL_ENROLLED
A passkey or hardware credential was registered.
- ACCOUNT_WEBAUTHN_CREDENTIAL_VERIFIED
A passkey successfully completed an assertion.
- ACCOUNT_WEBAUTHN_CREDENTIAL_RENAMED
A passkey was renamed.
- ACCOUNT_WEBAUTHN_CREDENTIAL_REVOKED
A passkey was revoked.
- ACCOUNT_WEBAUTHN_CREDENTIAL_REVOKE_BLOCKED
A revoke was blocked by the last-factor guard.
- ACCOUNT_WEBAUTHN_SIGNIN_SUCCESS
Passkey sign-in succeeded.
- ACCOUNT_WEBAUTHN_SIGNIN_FAILED
Passkey sign-in failed verification.
- ACCOUNT_WEBAUTHN_COUNTER_REGRESSION
A passkey returned a sign counter that went backward — possible cloning.
- ACCOUNT_WEBAUTHN_ENROLL_BLOCKED_BY_POLICY
Passkey enrollment was blocked by the workspace attestation policy.
Step-up authentication
Fresh-MFA challenges for high-impact actions.
- ACCOUNT_STEPUP_CHALLENGE_REQUESTED
A high-impact action requested a fresh-MFA proof.
- ACCOUNT_STEPUP_VERIFIED
Step-up challenge succeeded.
- ACCOUNT_STEPUP_FAILED
Step-up challenge failed.
- ACCOUNT_STEPUP_REUSED
A step-up token was redeemed twice — possible replay attempt.
- ACCOUNT_STEPUP_BLOCKED
A step-up attempt was blocked by tenant policy.
SAML single sign-on
Identity-provider configuration + sign-in flow.
- TENANT_SAML_PROVIDER_CREATED
An identity provider was added.
- TENANT_SAML_PROVIDER_UPDATED
An identity provider's configuration was changed.
- TENANT_SAML_PROVIDER_ENABLED
An identity provider went live for sign-in.
- TENANT_SAML_PROVIDER_DISABLED
An identity provider was paused.
- TENANT_SAML_PROVIDER_DELETED
An identity provider was deleted.
- ACCOUNT_SAML_SIGNIN_SUCCESS
A SAML sign-in succeeded.
- ACCOUNT_SAML_SIGNIN_FAILED
A SAML sign-in attempt was rejected.
- ACCOUNT_SAML_JIT_PROVISIONED
A new user was just-in-time provisioned on first SAML sign-in.
SCIM provisioning
Automated user lifecycle from your directory.
- TENANT_SCIM_TOKEN_CREATED
A SCIM bearer token was issued.
- TENANT_SCIM_TOKEN_REVOKED
A SCIM bearer token was revoked.
- ACCOUNT_SCIM_USER_CREATED
A user was provisioned via SCIM.
- ACCOUNT_SCIM_USER_UPDATED
A user was updated via SCIM.
- ACCOUNT_SCIM_USER_DEACTIVATED
A user was deactivated via SCIM.
- ACCOUNT_SCIM_USER_REACTIVATED
A user was reactivated via SCIM.
Network policy
IP allowlist / blocklist enforcement.
- TENANT_NETWORK_POLICY_UPDATED
The workspace network policy (allowlist/blocklist) was changed.
- TENANT_NETWORK_RULE_ADDED
A network rule was added.
- TENANT_NETWORK_RULE_REMOVED
A network rule was removed.
- ACCOUNT_NETWORK_POLICY_BLOCKED
A request was blocked by the workspace network policy.
- ACCOUNT_NETWORK_POLICY_ADMIN_BYPASS
An administrator bypassed the network policy for a one-time action.
Attestation policy
WebAuthn authenticator restrictions.
- TENANT_ATTESTATION_POLICY_UPDATED
The workspace's WebAuthn attestation allowlist was changed.
Event webhooks
Outbound HMAC-signed event delivery.
- TENANT_WEBHOOK_CREATED
A webhook subscription was created.
- TENANT_WEBHOOK_UPDATED
A webhook subscription was updated.
- TENANT_WEBHOOK_DISABLED
A webhook subscription was disabled.
- TENANT_WEBHOOK_DELETED
A webhook subscription was deleted.
- TENANT_WEBHOOK_CIRCUIT_TRIPPED
A webhook circuit breaker tripped after repeated failures.
- TENANT_WEBHOOK_TEST_SENT
A test event was delivered to a webhook endpoint.
Audit-log retention
Per-category retention windows + prune cron.
- TENANT_AUDIT_RETENTION_POLICY_UPDATED
Per-category retention windows were changed.
- AUDIT_PRUNE_RUN_COMPLETED
Daily retention prune cron completed; the metadata carries which categories pruned and how many rows fell out.
- AUDIT_PRUNE_RUN_FAILED
Daily retention prune cron failed.
Data erasure
Right-to-erasure workflow + holds.
- ACCOUNT_DATA_EXPORT_REQUEST
The user requested a copy of their data.
- ACCOUNT_DATA_EXPORT_READY
A data export is ready to download.
- ACCOUNT_DATA_EXPORT_DOWNLOADED
A prepared data export was downloaded.
- ACCOUNT_DELETION_REQUEST
The user requested account erasure.
- ACCOUNT_DELETION_APPROVED
An administrator approved the erasure request.
- ACCOUNT_DELETION_REJECTED
An administrator rejected the erasure request.
- ACCOUNT_DELETION_CANCELLED
An erasure request was cancelled before completion.
- ACCOUNT_DELETION_COMPLETED
An erasure was fully completed.
- ACCOUNT_DELETION_BLOCKED_BY_HOLDS
Erasure could not complete because a module reported a regulatory retention hold.
- ACCOUNT_DELETION_HOLDS_OVERRIDDEN
An administrator overrode retention holds to force completion (10-year retention on this row per SOX § 802).
- ACCOUNT_DELETION_DUAL_CONTROL_BLOCKED
Completion was blocked because the completer is the same administrator who approved.
- ACCOUNT_DELETION_COOLOFF_BLOCKED
Completion was blocked because the cooling-off window had not yet elapsed.