> ## Documentation Index
> Fetch the complete documentation index at: https://docs.authsignal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Update Action

> Update an action.



## OpenAPI

````yaml server-api PATCH /users/{userId}/actions/{action}/{idempotencyKey}
openapi: 3.0.0
info:
  description: Authsignal's Server API.
  version: 1.0.0
  title: Server API
  termsOfService: https://www.authsignal.com/legal/terms-of-service
  contact:
    email: hello@authsignal.com
servers:
  - url: https://api.authsignal.com/v1
  - url: https://au.api.authsignal.com/v1
  - url: https://eu.api.authsignal.com/v1
  - url: https://ca.api.authsignal.com/v1
security:
  - basicAuth: []
tags:
  - name: users
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: challenge
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: authenticator configurations
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: actions
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: query
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: email
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: sms
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: verify
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: challenges
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: sessions
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
  - name: devices
    description: ''
    externalDocs:
      description: Find out more
      url: https://docs.authsignal.com
externalDocs:
  description: Find out more about Authsignal
  url: https://docs.authsignal.com
paths:
  /users/{userId}/actions/{action}/{idempotencyKey}:
    patch:
      tags:
        - users
      summary: Update action
      description: Update an action.
      operationId: updateAction
      parameters:
        - $ref: '#/components/parameters/userId'
        - $ref: '#/components/parameters/action'
        - $ref: '#/components/parameters/idempotencyKey'
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UpdateActionResponseBody'
        '400':
          $ref: '#/components/responses/InvalidRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
components:
  parameters:
    userId:
      name: userId
      in: path
      description: The ID of the user.
      required: true
      schema:
        type: string
    action:
      name: action
      in: path
      description: >-
        A short human-readable code which defines the action that the user is
        performing, e.g. `signIn`. This value will be displayed in the
        Authsignal Portal and can be used to configure rules for authentication
        events with differing risk profiles. Values are validated with the
        following regex: `^[a-zA-Z0-9_-]{(1, 64)}$`.
      required: true
      schema:
        type: string
    idempotencyKey:
      name: idempotencyKey
      in: path
      description: The unique key which identifies the particular action which was tracked.
      required: true
      schema:
        type: string
  schemas:
    UpdateActionResponseBody:
      type: object
      properties:
        state:
          $ref: '#/components/schemas/ActionState'
        createdAt:
          type: string
          format: date-time
          description: >-
            The time in ISO 8061 format when the action was first created via
            track.
        stateUpdatedAt:
          type: string
          format: date-time
          description: >-
            The time in ISO 8061 format when the state of the action was last
            updated.
        output:
          $ref: '#/components/schemas/ActionOutput'
        verificationMethod:
          $ref: '#/components/schemas/VerificationMethod'
        ruleIds:
          type: array
          items:
            type: string
          description: The IDs of the triggered rules.
    ActionState:
      type: string
      enum:
        - ALLOW
        - BLOCK
        - CHALLENGE_REQUIRED
        - CHALLENGE_FAILED
        - CHALLENGE_SUCCEEDED
        - REVIEW_REQUIRED
        - REVIEW_FAILED
        - REVIEW_SUCCEEDED
      description: The current state of the action.
    ActionOutput:
      type: object
      properties:
        custom:
          type: object
          description: The custom data passed as input when tracking the action.
        device:
          type: object
          properties:
            attestationResult:
              $ref: '#/components/schemas/AttestationResult'
          description: Device information associated with the action.
      description: >-
        The output produced by the rules engine when determining if the action
        requires a challenge.
    VerificationMethod:
      type: string
      enum:
        - SMS
        - AUTHENTICATOR_APP
        - EMAIL_MAGIC_LINK
        - EMAIL_OTP
        - PUSH
        - DEVICE
        - SECURITY_KEY
        - PASSKEY
        - VERIFF
        - IPROOV
        - PALM_BIOMETRICS_RR
        - IDVERSE
    Error:
      type: object
      properties:
        error:
          type: string
        errorDescription:
          type: string
      required:
        - error
    AttestationResult:
      type: object
      properties:
        verdict:
          type: string
          enum:
            - VALID
            - FAILED_INTEGRITY
            - FAILED_APP_IDENTITY
            - FAILED_DEVICE
            - ERROR
          description: The overall attestation verdict.
        provider:
          type: string
          enum:
            - APP_ATTEST
            - PLAY_INTEGRITY
          description: The attestation provider used.
        deviceIntegrity:
          type: boolean
          description: Whether the device passed integrity checks (not rooted/jailbroken).
        appIntegrity:
          type: boolean
          description: Whether the calling app matches the expected package/bundle.
        riskMetric:
          type: number
          description: >-
            iOS only. Approximate count of unique attestations for this device
            over the past 30 days.
        keyId:
          type: string
          description: iOS only. The attestation key identifier.
        bundleId:
          type: string
          description: iOS only. The matched bundle identifier.
        deviceActivityLevel:
          type: string
          description: >-
            Android only. Token request volume level: LEVEL_1 (low) to LEVEL_4
            (high).
        playProtectVerdict:
          type: string
          description: >-
            Android only. Play Protect malware status: NO_ISSUES, MEDIUM_RISK,
            HIGH_RISK, etc.
        deviceRecognitionVerdict:
          type: array
          items:
            type: string
          description: >-
            Android only. Device integrity labels (e.g. MEETS_BASIC_INTEGRITY,
            MEETS_DEVICE_INTEGRITY, MEETS_STRONG_INTEGRITY).
        appRecognitionVerdict:
          type: string
          description: >-
            Android only. App recognition verdict: PLAY_RECOGNIZED,
            UNRECOGNIZED_VERSION, UNEVALUATED.
        appLicensingVerdict:
          type: string
          description: >-
            Android only. App licensing verdict: LICENSED, UNLICENSED,
            UNEVALUATED.
        sdkVersion:
          type: number
          description: Android only. Android SDK version of the OS running on the device.
        requestPackageName:
          type: string
          description: Android only. The package name from the request.
        versionCode:
          type: string
          description: Android only. The app version code.
        appAccessRiskVerdict:
          type: array
          items:
            type: string
          description: >-
            Android only. Apps detected on device by App Access Risk (e.g.
            KNOWN_INSTALLED, UNKNOWN_INSTALLED).
      required:
        - verdict
        - provider
        - deviceIntegrity
        - appIntegrity
  responses:
    InvalidRequest:
      description: Invalid Request
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: Unauthorized
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Not Found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic
      description: >-
        Use your Authsignal Server API secret key as the username and leave the
        password empty. The secret key can be found in the API Keys section of
        the Authsignal Portal settings page.

````