Skip to content
Mindful Auth Docs (BETA)

Audit Logs

Mindful Auth audit logs capture detailed records of authentication-related events within your application. These logs are essential for monitoring security, troubleshooting issues, and maintaining compliance with regulatory requirements. The audit logs are sent to the audit logs backend you configure during tenant onboarding (Tape, D1, etc). Mindful Auth never stores audit logs; they are always stored in your configured backend.

Here is a comprehensive list of all audit events monitored by Mindful Auth across authentication, account management, password operations, two-factor authentication, and administrative functions.

Login Events

Section titled “Login Events”
  • login_missing_credentials — User attempted login without providing email or password
  • login_bot_detected — Turnstile bot verification failed during login
  • login_velocity_violation — Login velocity threshold exceeded (distributed attack detected)
  • login_velocity_suspicious — Suspicious login pattern detected (logged as warning, not blocked)
  • login_blocked_brute_force — User account locked due to brute force attempts
  • login_account_locked — Login attempt on locked account
  • login_email_unverified — Login attempt on account with unverified email
  • login_password_change_required — Login blocked, password change pending
  • login_geo_anomaly — Impossible travel detected (different country within 6 hours)
  • login_requires_two_factor — Successful password verification, 2FA required
  • user_logged_in_successfully — User successfully authenticated and session created
Section titled “Magic Link Events”
  • magic_link_request_invalid_input — Invalid email format in magic link request
  • magic_link_request_bot_detected — Turnstile verification failed
  • magic_link_request_ip_banned — IP exceeded magic link request limit (10/hour)
  • magic_link_request_velocity_violation — Email velocity threshold exceeded
  • magic_link_request_velocity_suspicious — Suspicious magic link request pattern
  • magic_link_request_config_error — Magic link webhook not configured
  • magic_link_request_rate_limited — Rate limit cooldown active for email
  • magic_link_request_unknown_email — Magic link requested for non-existent email
  • magic_link_request_account_locked — Magic link request on locked account
  • magic_link_request_unverified_email — Magic link requested for unverified email
  • magic_link_webhook_error — Webhook delivery failed
  • magic_link_sent — Magic link email sent successfully
  • magic_link_verification_turnstile_failed — Turnstile failed during magic link verification
  • magic_link_verification — Magic link token being verified
  • magic_link_verification_system_error — System error during verification
  • magic_link_verification_account_locked — Verification on locked account
  • magic_link_2fa_required — 2FA required after magic link verification
  • magic_link_2fa_verification_failed — Invalid 2FA code provided
  • magic_link_2fa_verification_success — 2FA verified successfully
  • magic_link_verification_success_no_2fa — Magic link verified, no 2FA configured
  • magic_link_login_success — User successfully logged in via magic link

Registration Events

Section titled “Registration Events”

Password Registration

Section titled “Password Registration”
  • account_create — User initiated password registration
  • registration_ip_banned — IP exceeded registration limit (5/hour)
  • registration_velocity_violation — Email or distributed registration attack detected
  • registration_velocity_suspicious — Suspicious registration pattern (logged as warning)
  • registration_password_policy_violation — Password failed policy validation
  • registration_duplicate — Account already exists with that email
  • registration_system_error — System error during registration
  • user_registered_successfully — User account created successfully
Section titled “Magic Link Registration”
  • magic_link_registration — User initiated magic link registration
  • magic_link_registration_ip_banned — IP exceeded registration limit
  • magic_link_registration_velocity_violation — Email or distributed attack detected
  • magic_link_registration_velocity_suspicious — Suspicious pattern detected
  • magic_link_registration_duplicate — Account already exists
  • magic_link_registration_system_error — System error during registration
  • magic_link_user_registered — User registered via magic link successfully

Email Verification Events

Section titled “Email Verification Events”

Email Verification Flow

Section titled “Email Verification Flow”
  • email_verification — Email verification token being verified
  • email_verification_system_error — System error during email verification
  • email_verified_successfully — User email verified successfully

Resend Verification (Public Endpoint)

Section titled “Resend Verification (Public Endpoint)”
  • verification_resend_bot_detected — Turnstile verification failed
  • verification_resend_ip_banned — IP exceeded resend limit (10/hour)
  • verification_resend_velocity_violation — Email harassment detected (5+ IPs)
  • verification_resend_velocity_suspicious — Suspicious resend pattern
  • verification_resend_rate_limited — Rate limit cooldown active (5-minute window)
  • verification_email_resent — Verification email resent successfully

Resend Verification (Admin Endpoint)

Section titled “Resend Verification (Admin Endpoint)”
  • resend_verification_invalid_tenant — Invalid X-Tenant-Domain header
  • resend_verification_invalid_input — Missing recordId or email
  • resend_verification_invalid_email — Invalid email format
  • resend_verification_tenant_not_found — Tenant not found in KV
  • resend_verification_missing_api_key — Missing Authorization header
  • resend_verification_missing_credentials — Internal API key not configured
  • resend_verification_decryption_error — Failed to decrypt internal API key
  • resend_verification_unauthorized_api_key — API key validation failed
  • resend_verification_user_not_found — User record not found
  • resend_verification_email_mismatch — Email doesn’t match user record
  • resend_verification_not_pending — Account not in “Email Verification Pending” status
  • resend_verification_rate_limited — 5-minute rate limit active
  • verification_email_resent — Verification email resent successfully

Password Management Events

Section titled “Password Management Events”

Forgot Password

Section titled “Forgot Password”
  • password_reset_request_bot_detected — Turnstile verification failed
  • password_reset_request_invalid_input — Email not provided
  • password_reset_request_rate_limited — Rate limit active (prevents spam)
  • password_reset_request_unknown_email — Reset requested for non-existent email
  • password_reset_link_sent — Password reset link email sent successfully

Reset Password

Section titled “Reset Password”
  • password_reset_validation_failed — Token/recordId validation failed
  • password_reset_turnstile_failed — Turnstile verification failed (2 events possible)
  • password_reset_rate_limited — Rate limit cooldown active
  • password_reset_token_missing — Reset token not provided
  • password_reset_token_mismatch — Token doesn’t match stored token
  • password_reset_token_consumed — Token already used (one-time tokens)
  • password_reset_user_not_found — User record not found
  • password_reset_2fa_required — 2FA code required for reset
  • password_reset_2fa_secret_missing — 2FA secret not configured
  • password_reset_2fa_encryption_key_missing — Tenant encryption key missing
  • password_reset_2fa_invalid — Invalid 2FA code provided
  • password_reset_2fa_verified — 2FA verified successfully
  • password_reset_same_password — New password same as current password
  • password_reset_failed — System error updating password
  • password_reset_success — Password reset successfully

Change Password (Authenticated)

Section titled “Change Password (Authenticated)”
  • password_change_invalid_input — Invalid input (missing fields, short password)
  • password_change_rate_limit_exceeded — Max 5 changes per day exceeded
  • password_change_policy_violation — Password failed policy validation
  • password_change_user_not_found — User record not found
  • password_change_2fa_required — 2FA code required for change
  • password_change_2fa_secret_missing — 2FA secret not configured
  • password_change_2fa_encryption_key_missing — Tenant encryption key missing
  • password_change_2fa_invalid — Invalid 2FA code provided
  • password_change_2fa_verified — 2FA verified successfully
  • password_change_same_password — New password same as current password
  • password_change_system_error — System error updating password
  • password_changed_successfully — Password changed and sessions invalidated

Two-Factor Authentication Events

Section titled “Two-Factor Authentication Events”

Setup 2FA

Section titled “Setup 2FA”
  • two_factor_setup — 2FA setup initiated or validated (multiple stages logged separately)

Verify 2FA Setup

Section titled “Verify 2FA Setup”
  • two_factor_verify_setup — 2FA verification during setup (multiple stages logged separately)

Login with 2FA

Section titled “Login with 2FA”
  • two_factor_login — 2FA code provided during login
  • two_factor_login_locked — 2FA locked due to too many failed attempts

Disable 2FA

Section titled “Disable 2FA”
  • two_factor_disable_invalid_input — Invalid input provided
  • two_factor_disable_user_not_found — User record not found
  • two_factor_disable_verification_error — Verification failed
  • two_factor_disable_invalid_password — Invalid password for disable
  • two_factor_disable_system_error — System error during disable
  • two_factor_disabled_successfully — 2FA disabled successfully

Account Management Events

Section titled “Account Management Events”

Lock/Unlock Account (Admin Endpoint)

Section titled “Lock/Unlock Account (Admin Endpoint)”
  • account_lock_invalid_tenant — Invalid X-Tenant-Domain header
  • account_lock_invalid_input — Missing recordId or action
  • account_unlock_invalid_email — Invalid email for unlock action
  • account_lock_tenant_not_found — Tenant not found
  • account_lock_missing_api_key — Missing Authorization header
  • account_lock_missing_credentials — Internal API key not configured
  • account_lock_decryption_error — Failed to decrypt internal API key
  • account_lock_unauthorized_api_key — API key validation failed
  • account_lock_invalid_action — Action must be “lock” or “unlock”
  • account_unlock_attempts_clear_error — Failed to clear login attempts during unlock
  • account_locked_successfully — Account locked, sessions invalidated
  • account_unlocked_successfully — Account unlocked, login attempts cleared

Session & Access Control Events

Section titled “Session & Access Control Events”

Session Validation

Section titled “Session Validation”
  • tenant_disconnected_access_blocked — Tenant status is “Disconnected”, access denied
  • validate_session_unauthorized — Session validation failed (invalid/expired token)
  • protected_page_accessed — User accessed protected page with valid session
  • protected_page_access_denied — Access denied (session expired or missing)

User Actions

Section titled “User Actions”
  • user_logged_out — User logged out and session invalidated

Data Fields Captured

Section titled “Data Fields Captured”

All audit events include the following contextual information when available:

User Information

Section titled “User Information”
  • user_email — User’s email address
  • user_record — User record ID
  • session_id — Session ID if authenticated

Network & Location

Section titled “Network & Location”
  • ip_address — Client IP address (prefers X-Forwarded-For over CF-Connecting-IP)
  • timezone — Client timezone
  • country_code — Country code from IP geolocation
  • latitude_longitude — Geographic coordinates (comma-separated)
  • continent — Continent name
  • asn — Autonomous System Number
  • isp — Internet Service Provider
  • user_agent — Browser/client user agent
  • cf_request_id — Cloudflare request ID (CF-Ray header)

Event Details

Section titled “Event Details”
  • event_type — Event classification
  • event_status — success/failure/warning/info
  • risk_level — low/medium/high/critical
  • message — Human-readable description
  • timestamp — ISO 8601 timestamp (UTC)
  • requested_url — Endpoint path
  • error_details — Error message (if failed)
  • metadata — Additional structured data (JSON)
  • tenant_domain — Tenant hostname

Location Field (Backend-Specific)

Section titled “Location Field (Backend-Specific)”
  • location — Backend-native location field (e.g., Tape’s location object)
    • Passed as object from auditLog.js (Tape’s native format)
    • SQL backends receive JSON.stringify() conversion in adapter layer

Risk Level Classifications

Section titled “Risk Level Classifications”
LevelUsage
lowRoutine operations, minor validation issues
mediumValidation failures, missing authentication, rate limits
highUnauthorized access attempts, 2FA failures, account locking, brute force detected
criticalTenant configuration errors, credential validation failures, system errors, encryption failures

Event Status Classifications

Section titled “Event Status Classifications”
StatusMeaning
successOperation completed successfully
failureOperation failed (validation error, not found, unauthorized, system error)
warningDetected suspicious pattern but allowed (e.g., velocity_suspicious, high-risk login)
infoInformational event

Audit Logging Configuration

Section titled “Audit Logging Configuration”

Availability

Section titled “Availability”
  • Required Feature: Mindful Auth Business plan
  • Control: auditLogsStatus field in tenant config ('Active' or 'Deactivated')
  • Disabled Tenants: Events logged to Cloudflare console but not persisted to backend

Storage

Section titled “Storage”
  • Tenant Events: Stored in tenant’s configured audit logs app (Tape, D1, or custom backend)
  • Admin Events: Stored in central admin audit app (app.mindfulauth.com)
  • Non-blocking: Audit logging failures don’t interrupt main authentication flow

IP Geolocation

Section titled “IP Geolocation”
  • Source: MaxMind GeoIP service
  • Fallback: Cloudflare edge context (cf.asn, cf.timezone) if geolocation unavailable

Example Audit Log Record

Section titled “Example Audit Log Record”
{
  "event_type": "user_logged_in_successfully",
  "timestamp": "2026-01-19T14:30:45.123Z",
  "user_email": "user@example.com",
  "user_record": "123456789",
  "session_id": "sess_abc123...",
  "tenant_domain": "portal.example.com",
  "ip_address": "203.0.113.42",
  "country_code": "US",
  "timezone": "America/New_York",
  "asn": "15169",
  "isp": "Google LLC",
  "continent": "North America",
  "latitude_longitude": "40.7128, -74.0060",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)...",
  "cf_request_id": "abcd1234-5678-9012",
  "event_status": "success",
  "risk_level": "low",
  "message": "User logged in successfully",
  "requested_url": "/auth/login"
}