Skip to main content

Event actions

Whenever any of the following actions occur, an event is created. Actions are used to define Notification Rules.

login

A user logs in (including the source, if available).

Example
{
    "pk": "f00f54e7-2b38-421f-bc78-e61f950048d6",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "login",
    "app": "authentik.events.signals",
    "context": {
        "auth_method": "password",
        "http_request": {
            "args": {
                "query": "next=%2F"
            },
            "path": "/api/v3/flows/executor/default-authentication-flow/",
            "method": "GET"
        },
        "auth_method_args": {}
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:33:42.771091Z",
    "expires": "2024-02-15T15:33:42.770425Z",
    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

login_failed

A failed login attempt.

Example
{
    "pk": "2779b173-eb2a-4c2b-a1a4-8283eda308d7",
    "user": {
        "pk": 2,
        "email": "",
        "username": "AnonymousUser"
    },
    "action": "login_failed",
    "app": "authentik.events.signals",
    "context": {
        "stage": {
            "pk": "7e88f4a991c442c1a1335d80f0827d7f",
            "app": "authentik_stages_password",
            "name": "default-authentication-password",
            "model_name": "passwordstage"
        },
        "password": "********************",
        "username": "akadmin",
        "http_request": {
            "args": {
                "query": "next=%2F"
            },
            "path": "/api/v3/flows/executor/default-authentication-flow/",
            "method": "POST"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:32:55.319608Z",
    "expires": "2024-02-15T15:32:55.314581Z",
    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

logout

A user logs out.

Example
{
    "pk": "474ffb6b-77e3-401c-b681-7d618962440f",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "logout",
    "app": "authentik.events.signals",
    "context": {
        "http_request": {
            "args": {
                "query": ""
            },
            "path": "/api/v3/flows/executor/default-invalidation-flow/",
            "method": "GET"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:39:55.976243Z",
    "expires": "2024-02-15T15:39:55.975535Z",
    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

user_write

A user is written to during a flow execution.

Example
{
    "pk": "d012e8af-cb94-4fa2-9e92-961e4eebc060",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "user_write",
    "app": "authentik.events.signals",
    "context": {
        "name": "authentik Default Admin",
        "email": "root@localhost",
        "created": false,
        "username": "akadmin",
        "attributes": {
            "settings": {
                "locale": ""
            }
        },
        "http_request": {
            "args": {
                "query": ""
            },
            "path": "/api/v3/flows/executor/default-user-settings-flow/",
            "method": "GET"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T15:41:18.411017Z",
    "expires": "2024-02-15T15:41:18.410276Z",
    "brand": {
        "pk": "fcba828076b94dedb2d5a6b4c5556fa1",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

suspicious_request

A suspicious request has been received (for example, a revoked token was used).

password_set

A user sets their password.

secret_view

A user views a token's/certificate's data.

secret_rotate

A token was rotated automatically by authentik.

invitation_used

An invitation is used.

authorize_application

A user authorizes an application.

Example
{
    "pk": "f52f9eb9-dc2a-4f1e-afea-ad5af90bf680",
    "user": {
        "pk": 1,
        "email": "root@localhost",
        "username": "akadmin"
    },
    "action": "authorize_application",
    "app": "authentik.providers.oauth2.views.authorize",
    "context": {
        "asn": {
            "asn": 6805,
            "as_org": "Telefonica Germany",
            "network": "5.4.0.0/14"
        },
        "geo": {
            "lat": 42.0,
            "city": "placeholder",
            "long": 42.0,
            "country": "placeholder",
            "continent": "placeholder"
        },
        "flow": "53287faa8a644b6cb124cb602a84282f",
        "scopes": "ak_proxy profile openid email",
        "http_request": {
            "args": {
                "query": "[...]"
            },
            "path": "/api/v3/flows/executor/default-provider-authorization-implicit-consent/",
            "method": "GET"
        },
        "authorized_application": {
            "pk": "bed6a2495fdc4b2e8c3f93cb2ed7e021",
            "app": "authentik_core",
            "name": "Alertmanager",
            "model_name": "application"
        }
    },
    "client_ip": "::1",
    "created": "2023-02-15T10:02:48.615499Z",
    "expires": "2023-04-26T10:02:48.612809Z",
    "brand": {
        "pk": "10800be643d44842ab9d97cb5f898ce9",
        "app": "authentik_brands",
        "name": "Default brand",
        "model_name": "brand"
    }
}

source_linked

A user links a source to their account.

impersonation_started / impersonation_ended

A user starts/ends impersonation, including the user that was impersonated.

policy_execution

A policy is executed (when a policy has "Execution Logging" enabled).

policy_exception / property_mapping_exception

A policy or property mapping causes an exception.

system_task_exception

An exception occurred in a system task.

system_exception

A general exception in authentik occurred.

configuration_error

A configuration error occurs, for example during the authorization of an application.

model_created / model_updated / model_deleted

Logged when any model is created/updated/deleted, including the user that sent the request.

info

Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values.

email_sent

An email has been sent. Included is the email that was sent.

update_available

An update is available.