> ## Documentation Index
> Fetch the complete documentation index at: https://docs.authsignal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# action.log_created

> A snapshot of an action that has reached a terminal state. Sent in batches for SIEM/data lake forwarding.

These webhooks are asynchronous and delivered in batches of up to 500 events, after your tenant's challenge token duration (typically 15 minutes). Delivery is at-least-once, so de-duplicate using the envelope `id`.

Configure the webhook URL for log events in [tenant settings](https://portal.authsignal.com/organisations/tenants/settings).

## Batch delivery format

```json theme={null}
{
  "records": [
    { "type": "action.log_created",    "record": { } },
    { "type": "challenge.log_created", "record": { } }
  ]
}
```

## Payload

<ParamField path="tenantId" type="string" required>
  The ID of the tenant that the action occurred within.
</ParamField>

<ParamField path="userId" type="string" required>
  The ID of the user that the action was triggered by.
</ParamField>

<ParamField path="actionCode" type="string" required>
  The action being evaluated (e.g. `login`, `withdrawal`).
</ParamField>

<ParamField path="idempotencyKey" type="string" required>
  Unique per action instance.
</ParamField>

<ParamField path="createdAt" type="string" required>
  When the action was first evaluated.
</ParamField>

<ParamField path="updatedAt" type="string" required>
  When the action record was last updated.
</ParamField>

<ParamField path="state" type="string" required>
  Final action state. One of `ALLOW`, `BLOCK`, `CHALLENGE_REQUIRED`, `CHALLENGE_SUCCEEDED`, `CHALLENGE_FAILED`, `REVIEW_REQUIRED`.
</ParamField>

<ParamField path="stateUpdatedAt" type="string" required>
  When state last changed.
</ParamField>

<ParamField path="outcome" type="string" required>
  The rule engine decision. One of `ALLOW`, `BLOCK`, `CHALLENGE`, `REVIEW`. Immutable for the lifetime of the action.
</ParamField>

<ParamField path="verificationMethod" type="string">
  The method the user actually used to complete a challenge, if any (e.g. `EMAIL_OTP`, `PASSKEY`, `SMS`, `AUTHENTICATOR_APP`).
</ParamField>

<ParamField path="allowedVerificationMethods" type="string[]">
  The set of methods the user was offered for this challenge. Omitted if empty.
</ParamField>

<ParamField path="rules" type="object[]">
  Rules that fired during evaluation. Omitted if none.
</ParamField>

<ParamField path="priorityRuleId" type="string">
  The rule that drove the outcome, when multiple rules fired.
</ParamField>

<ParamField path="ipAddress" type="string">
  IP address of the request that initiated the action.
</ParamField>

<ParamField path="countryCode" type="string">
  Country resolved from the IP.
</ParamField>

<ParamField path="email" type="string">
  Email on file for the user at the time of the action.
</ParamField>

<ParamField path="phoneNumber" type="string">
  Phone number on file for the user at the time of the action.
</ParamField>

<ParamField path="deviceId" type="string">
  Opaque identifier for the device that initiated the action.
</ParamField>

<ParamField path="enrolledVerificationMethods" type="string[]">
  Verification methods the user had enrolled at the time of the action.
</ParamField>

<ParamField path="custom" type="object">
  Custom key/value data supplied by your application. Omitted if empty.
</ParamField>

<ResponseExample>
  ```json action.log_created theme={null}
  {
    "version": 1,
    "id": "ffffffff-ffff-ffff-ffff-ffffffffffff",
    "source": "https://authsignal.com",
    "time": "2026-04-22T01:08:05.197Z",
    "tenantId": "dddddddd-dddd-dddd-dddd-dddddddddddd",
    "type": "action.log_created",
    "record": {
      "tenantId": "dddddddd-dddd-dddd-dddd-dddddddddddd",
      "userId": "user_abc",
      "actionCode": "login",
      "idempotencyKey": "bb51e6b9-a7f8-4f03-8044-2940ae574236",
      "createdAt": "2026-04-22T01:08:05.197Z",
      "updatedAt": "2026-04-22T01:08:05.197Z",
      "state": "CHALLENGE_SUCCEEDED",
      "stateUpdatedAt": "2026-04-22T01:10:34.067Z",
      "outcome": "CHALLENGE",
      "verificationMethod": "EMAIL_OTP",
      "allowedVerificationMethods": ["PASSKEY", "EMAIL_OTP", "AUTHENTICATOR_APP"],
      "rules": [
        { "id": "40fcd205-5318-41d7-b225-3b6122b13654", "name": "challenge nz" }
      ],
      "priorityRuleId": "40fcd205-5318-41d7-b225-3b6122b13654",
      "ipAddress": "192.168.1.1",
      "countryCode": "NZ",
      "email": "alice@example.com",
      "phoneNumber": "+64221234567",
      "deviceId": "device_xyz",
      "enrolledVerificationMethods": ["AUTHENTICATOR_APP", "EMAIL_OTP"],
      "custom": { "plan": "pro" }
    }
  }
  ```
</ResponseExample>
