Skip to main content

​
Get Security Audits

Retrieve security audit events such as login attempts, token operations, and permission denials. 
GET /api/v1/audits/security?action=LoginFailed&fromUtc=2026-03-01T00:00:00Z

​
Query Parameters

​
action
enum
Filter by security action type:
  • LoginSucceeded - Successful login attempts
  • LoginFailed - Failed login attempts
  • TokenIssued - JWT token issuance
  • TokenRevoked - JWT token revocation
  • PasswordChanged - Password change events
  • RoleAssigned - User role assignments
  • RoleRevoked - User role removals
  • PermissionDenied - Authorization failures
  • PolicyFailed - Authorization policy failures
​
userId
string
Filter by user identifier
​
tenantId
string
Filter by tenant identifier
​
fromUtc
datetime
Start date/time for audit events (UTC)
​
toUtc
datetime
End date/time for audit events (UTC)

​
Authorization

Requires Permissions.Auditing.View permission.

​
Response

Returns an array of security audit summary objects.
​
id
uuid
Unique audit event identifier
​
occurredAtUtc
datetime
When the security event occurred
​
eventType
enum
Always Security for this endpoint
​
severity
enum
Event severity: Trace, Debug, Information, Warning, Error, Critical
​
tenantId
string
Associated tenant identifier
​
userId
string
User who triggered the event
​
userName
string
Display name of the user
​
traceId
string
Distributed tracing identifier
​
correlationId
string
Correlation identifier for related events
​
requestId
string
HTTP request identifier
​
source
string
Source system or component that generated the audit
​
tags
flags
Bitwise flags for additional metadata:
  • PiiMasked - Contains masked personally identifiable information
  • OutOfQuota - Event occurred during quota violation
  • Sampled - Event was sampled for performance
  • RetainedLong - Event will be retained longer than normal
  • HealthCheck - Related to health check operations
  • Authentication - Authentication-related event
  • Authorization - Authorization-related event
[
  {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "occurredAtUtc": "2026-03-06T14:23:15.123Z",
    "eventType": "Security",
    "severity": "Warning",
    "tenantId": "acme-corp",
    "userId": "user-123",
    "userName": "[email protected]",
    "traceId": "4bf92f3577b34da6a3ce929d0e0e4736",
    "correlationId": "abc123",
    "requestId": "0HN1234567890",
    "source": "FSH.Modules.Identity",
    "tags": 32
  },
  {
    "id": "660e9511-f3ac-52e5-b827-557766551111",
    "occurredAtUtc": "2026-03-06T14:18:42.456Z",
    "eventType": "Security",
    "severity": "Information",
    "tenantId": "acme-corp",
    "userId": "user-456",
    "userName": "[email protected]",
    "traceId": "5cg03g4688c45db7b4df030e1f1f5847",
    "correlationId": "def456",
    "requestId": "0HN1234567891",
    "source": "FSH.Modules.Identity",
    "tags": 32
  }
]

​
Common Use Cases

​
Monitor Failed Login Attempts

Track potential security threats by monitoring failed logins: 
GET /api/v1/audits/security?action=LoginFailed&fromUtc=2026-03-06T00:00:00Z
Look for patterns:
  • Multiple failures from same user (potential brute force)
  • Multiple failures from same IP (potential attack)
  • Failures outside business hours

​
Track Permission Denials

Identify authorization issues or potential privilege escalation attempts: 
GET /api/v1/audits/security?action=PermissionDenied&userId=user-123

​
Audit Administrative Changes

Monitor role assignments and revocations: 
GET /api/v1/audits/security?action=RoleAssigned&fromUtc=2026-03-01T00:00:00Z

​
Investigate User Activity

Get all security events for a specific user: 
GET /api/v1/audits/security?userId=user-123&fromUtc=2026-03-01T00:00:00Z

​
Tenant Security Overview

Review security events for a specific tenant: 
GET /api/v1/audits/security?tenantId=acme-corp&fromUtc=2026-03-01T00:00:00Z

​
Security Action Types

Recorded when a user successfully authenticates.Severity: Information
Use: Track user access patterns, login times, device usage
Recorded when authentication fails (wrong password, non-existent user, etc.).Severity: Warning
Use: Detect brute force attacks, identify account issues
Recorded when a JWT token is issued to a user.Severity: Information
Use: Track token lifecycle, audit API access
Recorded when a token is explicitly revoked before expiration.Severity: Information
Use: Track forced logouts, security incident response
Recorded when a user changes their password.Severity: Information
Use: Audit password policy compliance, detect compromised accounts
Recorded when a role is assigned to a user.Severity: Information
Use: Track permission changes, audit administrative actions
Recorded when a role is removed from a user.Severity: Information
Use: Track permission changes, audit administrative actions
Recorded when authorization fails due to missing permissions.Severity: Warning
Use: Detect privilege escalation attempts, identify permission gaps
Recorded when a custom authorization policy fails.Severity: Warning
Use: Audit complex authorization rules, debug policy issues
Security audits are automatically tagged with the Authentication or Authorization flag for quick filtering.

Build docs developers (and LLMs) love

Get started for freeTalk to us