Skip to main content
The Audit log under Organization Settings → Enterprise Identity is an append-only, organization-scoped record of identity and access changes. Use it to troubleshoot sign-in failures, verify SCIM behavior, and review administrative actions.
The audit log stores operational metadata only—never SAML assertions, bearer tokens, or full SCIM payloads.

Viewing events

Audit log Owners can:
  • Browse events in reverse chronological order
  • Filter by event type, date range, and free-text search
  • Open an event for full detail (actor, target user, workspace, WorkOS event ID, connection ID)
  • Export filtered results to CSV
Events include a source field indicating whether the action came from SSO, Directory Sync, the dashboard, CLI, or another internal path.

Event categories

SSO sign-in

Event typeMeaning
sso_login_successUser completed SSO and signed in
sso_login_failedSSO authentication failed
sso_enforcement_blockedEmail/password or social login blocked because Require SSO is on
sso_rejected_deactivated_identitySSO rejected for a previously deprovisioned IdP identity

SSO setup and testing

Event typeMeaning
sso_setup_startedSSO configuration flow started
sso_setup_savedSSO configuration saved
sso_test_startedTest SSO initiated from dashboard
sso_test_succeededTest SSO completed successfully
sso_test_failedTest SSO failed
sso_connection_activatedSSO connection became active

JIT provisioning

Event typeMeaning
jit_user_provisionedNew user created on first SSO login
jit_user_deniedJIT blocked (e.g. email domain not allowed)

Directory Sync (users)

Event typeMeaning
directory_user_createdSCIM user provisioned
directory_user_updatedSCIM user profile updated
directory_user_deactivatedSCIM user deactivated / deprovisioned
reactivation_attempt_rejectedBlocked attempt to restore a deprovisioned identity

Directory Sync (groups)

Event typeMeaning
directory_group_createdIdP group synced
directory_group_updatedIdP group updated
directory_group_deletedIdP group removed
directory_group_user_addedUser added to synced group
directory_group_user_removedUser removed from synced group

Group mappings

Event typeMeaning
group_role_mapping_createdIdP group mapped to workspace role
group_role_mapping_updatedMapping changed
group_role_mapping_deletedMapping removed
group_mapping_blocked_last_adminChange blocked to preserve last workspace Admin
scim_role_grant_blockedRole grant blocked (e.g. disallowed role name)

Workspace access

Event typeMeaning
workspace_membership_grantedUser added to workspace
workspace_membership_revokedUser removed from workspace
workspace_role_changedIdentity-managed role updated
workspace_role_downgrade_blockedDowngrade blocked by last-Admin rules
ownership_transferredWorkspace Admin ownership moved on deprovision
workspace_orphanedNo Admin candidate after deprovision

Policy and settings

Event typeMeaning
identity_settings_updatedSign-in policy or default workspace changed
identity_policy_version_bumpedSessions invalidated for policy change
require_sso_enabledRequire SSO turned on
require_sso_disabledRequire SSO turned off
enterprise_identity_enabledFeature enabled for org
enterprise_identity_disabledFeature disabled for org
directory_sync_activatedDirectory Sync connection active

Break-glass and MFA

Event typeMeaning
break_glass_login_usedEmergency access Owner signed in with email/password
break_glass_login_blockedEmergency login attempt blocked
break_glass_guardrail_blockedAction blocked by break-glass safety rules
mfa_disabled_for_managed_userMFA change blocked for SSO-managed member

Operational triage

ProblemEvents to check
User cannot sign in with SSOsso_login_failed, sso_rejected_deactivated_identity, jit_user_denied
User stuck after SSOjit_user_provisioned without workspace_membership_granted — check mappings
Access removed unexpectedlydirectory_user_deactivated, directory_group_user_removed, workspace_membership_revoked
Require SSO lockoutsso_enforcement_blocked, break_glass_login_used
Mapping change did not applygroup_mapping_blocked_last_admin, scim_role_grant_blocked
Workspace has no Adminworkspace_orphaned, ownership_transferred

Retention and export

Audit events are stored in the identity_audit_events table in your organization’s PostgreSQL database. Cloud (PromptLayer-hosted): Events persist for the life of your organization unless PromptLayer applies a platform retention policy. Use Export to CSV in the dashboard for ad-hoc exports. Contact PromptLayer support for long-term retention or compliance questions. Self-hosted: You operate the database. Audit data lives in your PostgreSQL instance alongside the rest of PromptLayer metadata—you control backup, retention, and archival policies. Export from the dashboard UI or query identity_audit_events directly for compliance reporting.