We're thrilled to announce the General Availability (GA) of the Auth0 Fine-Grained Authorization (FGA) Logging API.
Modern applications require not just powerful authorization, but also complete transparency into how that authorization works. Whether you're a developer debugging an access issue, a security engineer monitoring for threats, or a compliance officer preparing for an audit, you need a clear, accessible record of every authorization event.
The FGA Logging API is a new, dedicated endpoint that provides a comprehensive audit trail for every interaction with the FGA system. You can now programmatically retrieve detailed logs to gain deep insights into your application's access control behavior.
Use authorization logs to audit, debug, and monitor with confidence
Based on extensive feedback from our customers and the developer community, we designed the Logging API to solve three critical challenges:
1. Effortless audit and compliance
Meeting stringent industry and regulatory standards requires a verifiable trail of who accessed what, and when. The Logging API makes this simple. You can easily retrieve immutable logs(logs that cannot be altered after being written) for all critical operations to satisfy auditors and ensure you're adhering to internal and external policies.
As a compliance officer, you can now audit all API operations to ensure only authorized users have accessed critical resources.
2. Accelerated troubleshooting and debugging
Developers know the frustration of a permission check that fails unexpectedly. Was it a recently changed relationship tuple? A model update? The Logging API provides the granular detail needed to find the root cause fast. Filter logs by request ID, status code, user, or object to pinpoint the exact source of an issue and improve system reliability.
3. Proactive security and performance monitoring
With full visibility into your FGA API usage, you can proactively monitor for unusual activity, optimize your authorization models, and manage API performance. As a security engineer, you can monitor all API calls—filtering by IP address or user agent—to detect potential misuse and ensure your models are implemented correctly.
Key features
- Comprehensive coverage: Logs are captured for all public Auth0 FGA APIs (https://docs.fga.dev/api/service), including relationship tuple changes, access checks, and authorization model updates.
- Powerful filtering: Programmatically query logs with flexible filters for time range, user, IP address, API operation, status code, and more.
- Secure and reliable: The service is designed for high availability and ensures logs are encrypted in transit and at rest.
- Easy integration: Export log data to external monitoring and analytics tools to centralize your monitoring efforts.
Putting it into practice: Common use cases
To show the power and flexibility of the FGA Logging API, let's walk through three common scenarios you can solve right away.
1. Centralize your logs
For comprehensive security and operational visibility, it's crucial to centralize logs from all your services. You can use the Logging API to periodically export FGA logs to your preferred log management or Security Information and Event Management (SIEM) platform.
This is typically done by running a scheduled script that queries the API for new logs since the last run and forwards them. The query uses the continuation_token to paginate through results, ensuring you get every log entry.
Example query: Retrieve pages of logs
This command fetches the first page of logs.
curl "$FGA_API_URL/stores/$FGA_STORE_ID/logs" -H "authorization: bearer $ACCESS_TOKEN"
Next page (use the continuation_token returned from the previous response):
curl "$FGA_API_URL/stores/$FGA_STORE_ID/logs?continuation_token=<TOKEN_FROM_PREVIOUS_RESPONSE>" -H "authorization: bearer $ACCESS_TOKEN"
By repeatedly calling this endpoint with the latest token until the response is empty, you can build a complete and centralized audit trail.
2. Identify who made a permission change
Imagine a sensitive file had its permissions changed, and you need to know who did it and when. This is a critical audit and security task. You can investigate this by filtering for Write operations on a specific object.
The Write operation in FGA is used to create or delete relationship tuples, which is how permissions are granted or revoked.
Example query: Find who granted access to a report
This query searches for all logs where a Write operation occurred for the object document:annual_report.
curl "$FGA_API_URL/stores/$FGA_STORE_ID/logs?query=request.operation:Write&request.tuple_key.object:'document:annual_report'" -H "authorization: bearer $ACCESS_TOKEN"
The log entries in the response will show you the exact time of the change, the source IP address, and the user or client ID that made the API call, giving you a clear answer for your audit.
3. Find which resources a user accessed
Whether for a compliance review or an off-boarding process, you often need to know what resources a particular user has accessed or attempted to access. You can achieve this by filtering for all Check API calls made for a specific user.
Example query: List all access checks for user:Anne
This query returns a log of every permission check performed for user:Anne, showing what they tried to access and whether they were allowed.
curl "$FGA_API_URL/stores/$FGA_STORE_ID/logs?query=request.operation:Check&request.tuple_key.user:'user:Anne'" -H "authorization: bearer $ACCESS_TOKEN"
The results will include the object and relation for each check, as well as the allowed: true or allowed: false result, providing a complete history of that user's access attempts.
Get started today
The FGA Logging API is now available for all paid-tier customers. To get started, check out the documentation:
We're excited to see how you use this new capability to build more secure, compliant, and reliable applications. Happy building!