User Events

The User Event object

Standard
Hook failure
Retry failure
Compromised profile

{
  "date": "2023-08-07T09:54:34.183123Z",
  "auth_type": "password",
  "id": "AWUTz0naD6KwGSiAAIMN",
  "type": "signup",
  "canal": "identity_first_party",
  "user_id": "550e8400-e29b-41d4-a716-446655440000",
  "profile_id": "121146661725694",
  "login_time": "2018-08-07T09:54:34.183123Z",
  "client_id": "sg48CdAYohRPeRWZ9j1H",
  "provider": "password",
  "device": "desktop",
  "origin": "www.example.fr/login",
  "ip": "127.0.0.1",
  "host": "https://example.io",
  "job_execution_id": "iKUTe3lBd1MwSSbAmUJp", (1)
  "job_type": "import", (1)
  "job_name": "Daily imports", (1)
  "login_as_profile_id" : "AWUTz0JBD6KwGSiAAIMH",
  "updated_keys" : [
    "signup"
  ],
  "identifier_type": "email",
  "risk_score": 30,
  "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60"
}

1	Only present when the `canal` is `job`.

Webhook

{
  "date": "2023-05-07T09:54:34.183123Z",
  "auth_type": "password",
  "id": "AWUTz0..6KwGSiAAIMN",
  "type": "post_event_failure",
  "canal": "hook",
  "failed_hook_user_event_type": "signup",
  "failed_hook_key": "a_post_event_webhook",
  "failed_hook_error_code": "webhook_host_unreachable",
  "failed_hook_attempts": 3,
  "failed_hook_http_status": "404",
  "user_id": "550e8400-e29b-41d4-a716-446655440000",
  "profile_id": "121146661725694",
  "login_time": "2018-08-07T09:54:34.183123Z",
  "client_id": "sg48CdAYohRPeRWZ9j1H",
  "provider": "password",
  "device": "desktop",
  "origin": "www.example.fr/login",
  "ip": "127.0.0.1",
  "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60"
}

Pub/sub hook

{
  "date": "2024-01-07T09:54:34.183123Z",
  "id": "AWUTz0..6KwGSiAAIMN",
  "type": "pub_sub_event_failure",
  "canal": "hook",
  "failed_hook_project": "webhook_host_unreachable",
  "failed_hook_message_key": "NOT_FOUND",
  "failed_hook_key": "failing_event",
  "failed_hook_user_event_type": "login_matching_password",
  "failed_hook_message": "… NOT_FOUND: Resource not found (resource=blah1234).",
  "failed_hook_topic": "blah1234"
}

{
  "date": "2023-10-07T09:54:34.183123Z",
  "id": "AWUTz0..6KwGSiAAIMN",
  "user_id": "550e8400-e29b-41d4-a716-446655440000",
  "type": "email_failure",
  "canal": "message",
  "failed_message_error": "[temporarily_unavailable] [SMTP] Email sending failed: Sending the email to the following server failed : localhost:1025",
  "failed_message_provider": "smtp",
  "failed_message_template": "email_password_reset"
}

{
  "date": "2023-10-07T09:54:34.183123Z",
  "id": "AWUTz0..6KwGSiAAIMN",
  "user_id": "550e8400-e29b-41d4-a716-446655440000",
  "profile_id": "121146661725694",
  "login_time": "2018-08-07T09:54:34.183123Z",
  "type": "email_failure",
  "ip": "127.0.0.1",
  "client_id": "sg48CdAYohRPeRWZ9j1H",
  "risk_score": 99,
  "lockout_end_date": "2023-11-25T12:15:09.536Z",
  "user_agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60"
}

User Event Fields

Name Description

date

The date on which the event occurred.

auth_type

The type of authentication used.

options

password
phone_number_password
magic_link
sms
external
refresh
login_as
third_party
webauthn

id

User event id.

type

User event type.

See User Event Types for more details.

canal

The channel through which the event was triggered.

Possible values

identity_first_party: triggered via First-party Identity client.
identity_third_party: triggered via Third-party Identity client.
legacy: triggered via Legacy client.
management: triggered via the Management client.
Root: triggered by the root of the ReachFive Console. This is typically ReachFive administrators.
Console: triggered through the ReachFive Console.
ConsoleIdentity: triggered through the First-party Identity client via the ReachFive Console.
automatic_suspension: triggered via the IFP module.
hook: triggered via a hook such as a webhook.
message: triggered via a message such as SMS or email.
job: triggered via a job such as import or export.

job_execution_id

The ID for when a specific job was executed.

This is not the ID of the job definition itself, but rather for the execution of a particular job.

job_type

Specifies the type of job such as import or export.

job_name

The name of the job. This is a friendly string such as "Nightly imports".

user_id

The ReachFive User ID.

profile_id

Alias for user_id.

login_time

Alias for date.

client_id

Client id used.

provider

This is an alias for auth_type.

device

The user’s device.

This is taken directly the HTTP request header. See here for more on the User-Agent request header (where the device field comes from).

origin

Free text parameter describing the source of the login (for reporting purposes only). You can influence this value by using a request parameter such as <url>?origin=<origin>.

This is taken directly the HTTP request header. See here for more on the Origin request header.

ip

User IP address.

If the event is type: profile_compromised, this is considered the attacking IP. For more, see Identity Fraud Protection.

user_agent

Web user agent.

This is taken directly the HTTP request header. See here for more on the User-Agent request header. You can influence the values in the user_agent by using your software library.

Format: User-Agent: <product> / <product-version> <comment>

where product could be your app name such as TheApp and comment could hold your domain such as fr.example.

Example: User-Agent: TheApp/2.1 (fr.TheApp; build:742; iOS 14.7.1) Alamofire/4.9.1

failed_message_error

Message containing information on why an attempt to send a message failed.

failed_message_provider

Message occuring for provider failures.

possible values

adobeCampaign
dialogInsight
smtp
customEmail
splio
oracleResponsys
twilio (SMS)
customSms (SMS)

failed_message_template

Indicates the failed email or SMS template.

Email templates

email_email_verification
email_signup
email_email_update
email_email_update_notification
email_password_reset
email_password_update
email_presignup
email_account_suspension
email_passswordless_otp
email_mfa_otp
email_mfa_registration_otp
email_double-opt-in

SMS templates

sms_phone_verification
sms_signup
sms_phone_update
sms_password_reset
sms_password_update
sms_presignup
sms_account_suspension
sms_passswordless_otp
sms_mfa_otp
sms_mfa_registration_otp
sms_doi

failed_hook_key

The unique webhook key.

failed_hook_http_status

The http status that is returned.

This is not always returned.

failed_hook_error_code

The specific error code for the failure.

possible values

webhook_host_unreachable
webhook_invalid_response
server_error

failed_hook_user_event_type

The user event for which the webhook was triggered.

failed_hook_attempts

The number of retry attempts.

failed_hook_topic

The topic ID of the pub/sub hook that failed.

failed_hook_message_key

The error message key. For example, NOT_FOUND.

failed_hook_message

The error message for the failed hook. This describes why it failed. For example, the topic ID may have not been found for pub/sub hooks or there is a duplicated external ID.

example

...
    "failed_hook_message": "{\"detail\": \"Duplicated external id\", \"code\": \"711\"}"
...

failed_hook_project

The project name of the pub/sub hook that failed.

host

The URL used to trigger the event.

identifier_type

Specifies the type of identifier user.

possible values

email
phone_number
customer_identifier

login_as_profile_id

The user_id used to log in when using Login as.

updated_keys

An array of strings that lists the fields that were modified for the following event types.

signup
managed_user_created
user_created
user_updated

risk_score

Integer showing the risk score between 0 and 100 using our secure risk algorithm. This field is only present if the Risk-based Authentication feature is enabled.

The current default risk_score threshold is 30. Anything above the configured risk score threshold is considered risky and triggers certain RBA actions like email and SMS notifications.

lockout_end_date

Specifies the date and time when a user lockout ends.

If the date is in the future, the user is locked out.
If the date is in the past, the lockout is over and the user is not locked out.
If the user has never been locked out, the field is empty.

User Event Types

The table below describes the types of events that occur under the type parameter in the User Event object.

Name Description

login

Emitted after a successful authentication.

logout

Emitted after a user logs out.

signup

Emitted after a successful signup.

managed_user_created

Emitted after a new user is successfully created through the Management API.

unlink

Emitted after a successful unlink identity.

email_updated

Emitted after a successful email update.

phone_number_updated

Emitted after a successful phone number update.

password_reset_requested

Emitted after a successful password reset request.

password_changed

Emitted after a successful password change.

password_reset

Emitted after a successful password reset process.

profile_compromised

Emitted when the IFP module detects a compromised profile.

otp_sent

Emitted after a one-time password (otp) is successfully sent (via sms or email) for verification.

This includes otps for Two-factor authentication (2FA) flows.

login_not_matching_password

Emitted after an unsuccessful login attempt due to the password not matching.

login_matching_password

Emitted after a successful login via the /password/login call.

user_updated

Emitted after a successful user update.

user_deleted

Emitted after a successful user deletion.

We retain the user_deleted event type for a certain period of time after a user profile is deleted.

user_updated_by_merge

Emitted after a successful merge (for the updated user).

user_deleted_by_merge

Emitted after a successful merge (for the deleted user).

email_verified

Emitted after a successful email verification.

phone_number_verified

Emitted after a successful mobile number verification.

user_created

Emitted after successfully creating a new Lite profile.

authorization_refused

Emitted after an unsuccessful authorization attempt.

authorization_deleted

Emitted after authorization was deleted.

authorization_granted

Emitted after authorization was successfully granted.

lite_merged_into_managed

Emitted after a lite profile was succesfully merged into a managed profile.

login_2nd_step

Emitted after the user has successfully logged in using the Two-factor authentication (2FA) flow.

leaked_credentials_usage

Emitted after a user uses credentials that are marked as leaked.

This applies to users signing up, logging in, or updating a password.

leaked_credentials_delete

Emitted when credentials have the "leaked" mark removed.

This means that the user no longer uses credentials known to be leaked.

ACCOUNT PROTECTION

user_suspended

Emitted after a successful user account suspension.

user_unsuspended

Emitted after a successful user account unsuspension.

login_successful_suspended_account

Emitted after an unsuccessful login attempt on a suspended account with the correct credentials.

login_unverified_identifier

Emitted when a user attempts to log in with an unverified identifier.

This event is only emitted if the Block unverified login attempts feature is enabled.

signup_compromised

Emitted when a user profile is created with a suspicious IP.

risky_login_notification

Emitted when a risky login notification was sent to the user.

risk_threshold_exceeded

Emitted when the risk_score threshold was exceeded.

WEBHOOK FAILURES

pre_event_failure

Emitted when a failure occurred in a pre-event webhook.

Currently, you can only set up PubSub hooks to trigger based on this event. It’s not possible on standard pre/post event webhooks.

post_event_failure

Emitted when a failure occurred in a post-event webhook.

Currently, you can only set up PubSub hooks to trigger based on this event. It’s not possible on standard pre/post event webhooks.

pub_sub_event_failure

Emitted when a failure occurred in a Pub/sub hook.

RETRY FAILURE EVENTS

email_failure

Emitted if there is an error while sending an email. Occurs after the provider responds with an error after the 3rd attempt.

sms_failure

Emitted if there is an error while sending an sms. Occurs after the provider responds with an error after the 3rd attempt.

USER LOCKOUT EVENTS

profile_lockout

Emitted each time a user profile is locked.

MFA EVENTS

mfa_phone_number_deleted

Emitted after an MFA credential (phone number) is deleted.

mfa_email_deleted

Emitted after an MFA credential (email) is deleted.

mfa_email_start_registration

Emitted after an email is used to start the MFA registration process.

mfa_email_verify_registration

Emitted after an email has been verified as an MFA credential.

mfa_phone_number_start_registration

Emitted after a phone number is used to start the MFA registration process.

mfa_phone_number_verify_registration

Emitted after a phone number has been verified as an MFA credential.

mfa_trusted_device_added

Emitted after a device has been added as a trusted device .

mfa_trusted_device_deleted

Emitted after a device has been removed as a trusted device .

CONSENT EVENTS

consent.granted

Emitted after a consent was successfully granted.

consent.waiting

Emitted after a DOI consent was moved to the waiting status. This means the consent is awaiting follow-up action from the user.

consent.denied

Emitted after a consent was officially rejected (denied).

PASSKEY EVENTS

webauthn_credential_created

Emitted after a passkey was successfully created.

webauthn_credential_deleted

Emitted after a passkey was successfully deleted.

GUEST EVENTS

login_invalid_identifier_format

Emitted after an unsuccessful login due to the identifier format.

login_unknown_identifier

Emitted after an unsuccessful login attempt due to an unknown identifier.

signup_invalid_email_format

Emitted after an unsuccessful signup attempt due to an invalid email format.

signup_not_compliant_password

Emitted after an unsuccessful signup attempt because the password was not compliant.