The event object for the post-login Actions trigger provides contextual information about a single user logging in via Auth0.
PropertyDescription
event.authentication
Details about authentication signals obtained during the login flow.
Includes the following properties:
  • methods Array of objects — Contains the authentication methods a user has completed during their session.
    Array elements:
    • One of the following object schemas:
      • An object with the following properties:
        • name String — The name of the first factor that was completed. Values include:
          • “federated” — A social or enterprise connection was used to authenticate the user as the first factor.
          • ”pwd” — A password was used to authenticate a database connection user as the first factor.
          • ”passkey” — A passkey was used to authenticate a database connection user as the first factor.
          • ”sms” — Passwordless SMS used to authenticate the user as the first factor.
          • ”email” — Passwordless Email used as the first factor or to verify email for password reset.
          • ”phone_number” — A phone number was used for password reset.
          • ”mock” — Used for internal testing.
          • string — A custom authentication method denoted by a URL (as second or later factor).
        • timestamp String
      • An object with the following properties:
        • name The value “mfa” — The user completed multi-factor authentication (second or later factors).
        • timestamp String
  • riskAssessment Optional object — Details about risk assessments obtained during the login or password reset flow.
    Includes the following properties:
    • assessments Object — Includes the following properties:
      • ImpossibleTravel Optional object — Determines if the user is logging in from a location signaling impossible travel.
        Includes the following properties:
        • code String — Possible values include:
          • minimal_travel_from_last_login
          • travel_from_last_login
          • substantial_travel_from_last_login
          • impossible_travel_from_last_login
          • invalid_travel
          • missing_geoip
          • anonymous_proxy
          • unknown_location
          • initial_login
          • location_history_not_found
          • assessment_not_available
        • confidence String — Possible values include:
          • low
          • medium
          • high
          • neutral
      • NewDevice Optional object — Determines if the user is logging in from a known device.
        Includes the following properties:
        • code String — Possible values include:
          • match
          • partial_match
          • no_match
          • initial_login
          • unknown_device
          • no_device_history
          • assessment_not_available
        • confidence String — Possible values include:
          • low
          • medium
          • high
          • neutral
        • details Optional object — Includes the following properties:
          • device Optional string — Possible values include:
            • known
            • unknown
          • useragent Optional string — Possible values include:
            • known
            • unknown
      • UntrustedIP Optional object — Shows if the IP was found in Auth0’s repository of low reputation IPs.
        Includes the following properties:
        • code String — Possible values include:
          • not_found_on_deny_list
          • found_on_deny_list
          • invalid_ip_address
          • assessment_not_available
        • confidence String — Possible values include:
          • low
          • medium
          • high
          • neutral
        • details Optional object — Includes the following properties:
          • category Optional string
          • ip Optional string — The originating IP address of the request.
          • matches Optional string
          • source Optional string
    • confidence String — Overall risk score.
      Possible values include:
      • low
      • medium
      • high
      • neutral
    • external Optional object — [Limited Early Access] External risk assessment.
      Includes the following properties:
      • akamai Optional object — Includes:
        • akamaiBot Optional object — The bot detection results as forwarded by Akamai Bot Manager.
          Includes the following properties:
          • action Optional string — The action of the Akamai bot manager results.
          • botCategory Optional array of strings — The bot category.
          • botScore Optional number — The bot score.
          • botScoreResponseSegment Optional string — The bot score response segment.
          • botnetId Optional string — The botnet ID.
          • type Optional string — The type.
        • akamaiUserRisk Optional object — The user risk detection results as forwarded by Akamai Account Protector.
          Includes the following properties:
          • action Optional string — The action.
          • allow Optional number — The allowed status.
          • emailDomain Optional string — The user’s email domain.
          • general Optional string — General risk.
          • ouid Optional string — The OUID.
          • requestid Optional string — The request ID.
          • risk Optional string — The risk.
          • score Optional number — The score.
          • status Optional number — The status.
          • trust Optional string — The trust level.
          • username Optional string — The username.
          • uuid Optional string — The UUID.
    • supplemental Optional object — [Limited Early Access] Supplemental risk assessment.
      Includes the following properties:
      • akamai Optional object — Includes:
        • akamaiBot Optional object — Bot detection (Akamai Bot Manager).
          Includes:
          • action Optional string
          • botCategory Optional array of strings
          • botScore Optional number
          • botScoreResponseSegment Optional string
          • botnetId Optional string
          • type Optional string
        • akamaiUserRisk Optional object — User risk (Akamai Account Protector).
          Includes:
          • action Optional string
          • allow Optional number
          • emailDomain Optional string
          • general Optional string
          • ouid Optional string
          • requestid Optional string
          • risk Optional string
          • score Optional number
          • status Optional number
          • trust Optional string
          • username Optional string
          • uuid Optional string
    • version String
event.authorization
An object containing information describing the authorization granted to the user who is logging in.
Includes the following properties:
  • roles Array of strings — An array containing the names of a user’s assigned roles.
event.clientInformation about the Client with which this login transaction was initiated.
Includes the following properties:
  • client_id String — The client id of the application to which the user is logging in.
  • metadata Dictionary — An object for holding other application properties.
    Keys are String; values are one of: String
  • name String — The name of the application (as defined in the Dashboard).
  • refresh_token Optional object — [Private Early Access] An object for holding refresh token configuration properties.
    Includes the following properties:
    • policies Optional array of objects — [Private Early Access] Policies for multi-resource refresh token exchange (MRRT).
      Elements include:
      • audience Optional string — Resource server (audience) to which this MRRT policy applies.
      • scope Optional array of strings — Scopes of access authorized for the audience.
event.connectionDetails about the Connection that was used to authenticate the user.
Includes:
  • id String — The connection’s unique identifier.
  • metadata Optional dictionary — Metadata associated with the connection.
    Keys are String; values are one of: String
  • name String — The name of the connection used to authenticate the user (e.g., twitter, some-g-suite-domain).
  • strategy String — The type of connection. For social connections, event.connection.strategy === event.connection.name. For enterprise connections, examples: waad (Azure AD), ad (AD/LDAP), auth0 (database), etc.
event.organization
Details about the Organization associated with the current transaction.
Includes:
  • display_name String — The friendly name of the Organization.
  • id String — The Organization identifier.
  • metadata Dictionary — Metadata associated with the Organization.
    Keys are String; values are one of: String
  • name String — The name of the Organization.
event.prompt
Collected data from rendered custom prompts.
Includes:
  • fields Optional string — Fields and hidden fields data.
  • id String — The prompt ID.
  • vars Optional string — Shared variables data.
event.refresh_token
[Enterprise Customers] The current refresh token.
Includes:
  • client_id Optional string — The ID of the client associated with the refresh token.
  • created_at String — Timestamp when the refresh token was created.
  • device Optional object — Includes:
    • initial_asn Optional string — First ASN associated with this refresh token.
    • initial_ip Optional string — First IP address associated with this refresh token.
    • initial_user_agent Optional string — First user agent of the device.
    • last_asn Optional string — Last ASN from which this token was exchanged.
    • last_ip Optional string — Last IP address from which this token was exchanged.
    • last_user_agent Optional string — Last user agent of the device.
  • expires_at Optional string — Absolute expiry timestamp.
  • id String — The refresh token ID.
  • idle_expires_at Optional string — Idle expiry timestamp.
  • last_exchanged_at Optional string — Timestamp of last successful exchange.
  • resource_servers Optional array of objects — Elements include:
    • audience String — The audience of the refresh token.
    • scopes String — Scopes of the refresh token.
  • rotating Optional boolean — Whether it is a rotating refresh token.
  • session_id Optional string — Session ID bound to the refresh token.
  • session_transfer Optional object — [Private Early Access] Defined when the session is created from a session transfer token (Native to Web SSO).
    Includes:
    • parent_refresh_token Optional object — Defined when the refresh token is created from a session initiated via session transfer.
      Includes:
      • id Optional string — The ID of the parent refresh token.
  • user_id Optional string — ID of the user bound to the refresh token.
event.requestDetails about the request that initiated the transaction.
Includes:
  • asn Optional string — ASN of the user-agent making the request.
  • body String — Body of the POST request (available in refresh token, Client Credential Exchange, Post Login Action).
  • geoip Object — Includes:
    • cityName Optional string
    • continentCode Optional string
    • countryCode Optional string
    • countryCode3 Optional string
    • countryName Optional string
    • latitude Optional number
    • longitude Optional number
    • subdivisionCode Optional string
    • subdivisionName Optional string
    • timeZone Optional string
  • hostname Optional string — Hostname used for the authentication flow.
  • ip String — Originating IP address.
  • language Optional string — Language requested by the browser.
  • method String — HTTP method.
  • query String — Query string parameters sent to the authorization request.
  • user_agent Optional string — Value of the User-Agent header.
event.resource_server
Details about the resource server to which access is being requested.
Includes:
event.security_context
An object containing fingerprint signatures. Available only when traffic is handled through the Auth0 Edge (default Auth0-managed proxy layer); may be missing in other routing scenarios.
Includes:
  • ja3 Optional string — JA3 fingerprint signature (TLS only).
  • ja4 Optional string — JA4 fingerprint signature (TLS only).
event.session
The current login session.
Includes:
  • authenticated_at Optional string — [Enterprise Customers] Last authenticated time.
  • clients Optional array of objects — [Enterprise Customers] List of client details for the session.
    Elements include:
    • client_id String — ID of the client for the session.
  • created_at Optional string — [Enterprise Customers] When the session was created.
  • device Optional object — [Enterprise Customers] Device metadata.
    Includes:
    • initial_asn Optional string
    • initial_ip Optional string
    • initial_user_agent Optional string
    • last_asn Optional string
    • last_ip Optional string
    • last_user_agent Optional string
  • expires_at Optional string — [Enterprise Customers] Expiry time.
  • id String — Session ID.
  • idle_expires_at Optional string — [Enterprise Customers] Idle expiry time.
  • last_interacted_at Optional string — [Enterprise Customers] Last interaction time.
  • session_transfer Optional object — [Private Early Access] Defined when the session is created from a session transfer token (Native to Web SSO).
    Includes:
    • parent_refresh_token Optional object — Defined when the refresh token is created via session transfer.
      Includes:
      • id Optional string — Parent refresh token ID.
  • updated_at Optional string — [Enterprise Customers] Last update time.
  • user_id Optional string — [Enterprise Customers] User ID.
event.session_transfer_token
[Private Early Access] Details of the current session transfer token used to establish SSO from a native app to a web app.
Includes:
  • client_id String — Client identifier of the application that issued the token.
  • request Object — Details about the request that issued the token.
    Includes:
    • asn Optional string — ASN associated with the issuing request.
    • geoip Optional object — Includes:
      • cityName Optional string
      • continentCode Optional string
      • countryCode Optional string
      • countryCode3 Optional string
      • countryName Optional string
      • latitude Optional number
      • longitude Optional number
      • subdivisionCode Optional string
      • subdivisionName Optional string
      • timeZone Optional string
    • ip String — IP address associated with the issuing request.
    • user_agent Optional string — User-Agent of the device that issued the token.
  • scope Array of strings — Scopes requested when the token was issued.
event.statsLogin statistics for the current user.
Includes:
  • logins_count Number — Number of times the user has logged in.
event.tenantDetails about the Tenant associated with the current transaction.
Includes:
  • id String — The name of the tenant.
event.transaction
Details about the current transaction.
Includes:
  • acr_values Optional array of strings — Any acr_values provided in the original authentication request.
  • id Optional string — Unique identifier for the transaction (browser-based flows).
  • linking_id Optional string — Dynamic Linking ID to reference this transaction.
  • locale Optional string — Locale chosen for this transaction.
  • login_hint Optional string — Hint about the login identifier the end user might use.
  • metadata Dictionary — [Limited Early Access] Shared data across custom Actions for the duration of a transaction.
    Keys are String; values are one of: String, Number, Boolean
  • prompt Optional array of strings — Instructions for whether the user may be prompted for re-auth and consent.
  • protocol Optional string — Possible values include:
    • oidc-basic-profile — Most used, web-based login.
    • oidc-ciba — Client-Initiated Backchannel Authentication.
    • oauth2-token-exchange — Exchanging an assertion for an Auth0-issued token.
    • oidc-hybrid-profile — Hybrid profile (ID token immediate + secure retrieval of access/refresh tokens).
    • samlp — SAML protocol for SaaS apps.
    • wsfed — WS-Federation (e.g., Office365).
    • wstrust-usernamemixed — WS-Trust user/password (CRM/Office365).
    • oidc-implicit-profile — Mobile and SPAs.
    • oauth2-device-code — Device Authorization Flow.
    • oauth2-resource-owner — User/password login on database connections.
    • oauth2-resource-owner-jwt-bearer — Login using a bearer JWT.
    • oauth2-password — Password exchange.
    • oauth2-webauthn — WebAuthn exchange.
    • oauth2-access-token@deprecated Getting a token with a Social Provider’s access token (see docs).
    • oauth2-refresh-token — Refreshing a token using the refresh token exchange.
  • redirect_uri Optional string — Where Auth0 redirects after completion.
  • requested_authorization_details Optional array of objects — Rich Authorization Requests Section 2.
    Elements include:
    • type String — Type of authorization details.
  • requested_scopes Optional array of strings — Scopes requested.
  • response_mode Optional string — Mechanism for returning parameters from the Authorization Endpoint.
    Possible values:
    • query
    • fragment
    • form_post
    • web_message
  • response_type Optional array of strings — Possible values:
    • code
    • token
    • id_token
  • state Optional string — Opaque string echoed back after redirect.
  • ui_locales Optional array of stringsui_locales from the original request.
event.userAn object describing the user on whose behalf the current transaction was initiated.
Includes:
  • app_metadata String — Custom fields that impact access (e.g., plan, roles, groups).
  • created_at String — When the profile was created.
  • email Optional string — (unique) Email address.
  • email_verified Boolean — Whether the email is verified.
  • enrolledFactors Optional array of objects — Authentication factors the user has enrolled.
    Array elements:
    • Object describing an enrolled factor type and options.
      Includes:
      • options Optional string — Additional options for the enrolled factor.
      • type String — Factor type (e.g., push-notification, phone, email, otp, webauthn-roaming, webauthn-platform).
  • family_name Optional string — Family name.
  • given_name Optional string — Given name.
  • identities Array of objects — Info from identity providers used by the user (including linked profiles).
    Elements include:
    • connection Optional string — Name of the Auth0 connection.
    • isSocial Optional boolean — Whether the connection is social.
    • profileData Optional dictionary — User information associated with the connection (secondary accounts when linked).
      Keys are String; values are one of: String
    • provider Optional string — Provider name (e.g., Facebook, Google, SAML).
    • user_id Optional string — Unique identifier for this connection/provider.
  • last_password_reset Optional string — Last time the user’s password was changed (Database connections only).
  • multifactor Optional array of strings — MFA providers with which the user is enrolled.
  • name Optional string — Full name.
  • nickname Optional string — Nickname.
  • phone_number Optional string — Phone number.
  • phone_verified Optional boolean — Whether the phone number is verified.
  • picture Optional string — URL to the user’s profile picture.
  • updated_at String — When the profile was last updated.
  • user_id String — (unique) User ID.
  • user_metadata String — Custom fields that do not impact access (e.g., addresses, preferences).
  • username Optional string — (unique) Username.