What are user actions?
Actions represent security-relevant events in your application and serve as the foundation for implementing:- Multi-factor authentication (MFA) - Challenge users after primary authentication
- Step-up authentication - Require additional verification for sensitive operations
- Adaptive authentication - Apply rules based on risk factors and context
- Passwordless authentication - Use Authsignal as the primary authentication method
Action operations
Track action
The primary method for recording user activities and initiating authentication challenges. This is the core operation you’ll use throughout your application.- User ID - Unique identifier for the user
- Action code - What the user is doing (e.g., “signIn”, “withdrawFunds”)
- Attributes - Contextual information for risk assessment
Get action
Retrieve detailed information about a previously tracked action using its unique identifiers.Query actions
Retrieve a list of actions for a specific user to view their authentication history.Update action
Manually modify the state of a previously tracked action. This is useful for administrative actions or custom workflows.Action states
Every action results in one of these states that determine how your application should respond:State | Description | Recommended Action |
---|---|---|
ALLOW | User is trusted, no challenge required | Proceed with the requested operation |
CHALLENGE_REQUIRED | User must complete authentication | Present authentication challenge |
REVIEW | Action requires manual review | Queue for administrative review |
BLOCK | Action is blocked for security reasons | Deny the requested operation |
State transitions
Actions can transition between states based on user interactions and administrative actions:Action attributes
When tracking actions, you can provide contextual information that helps with risk assessment and rule evaluation:Standard attributes
Attribute | Type | Description |
---|---|---|
email | string | User’s email address |
phoneNumber | string | User’s phone number in E.164 format |
deviceId | string | Unique device identifier (from Authsignal Web SDK cookie) |
userAgent | string | Browser user agent string |
ipAddress | string | User’s IP address |
redirectUrl | string | URL for redirect after pre-built UI completion |
redirectToSettings | boolean | Show settings page after challenge completion |
Custom attributes
Use thecustom
field to pass business-specific data for use in rules:
Action lifecycle
Understanding the complete action lifecycle helps you implement robust authentication flows:1. Action creation
Actions are created when you calltrack()
. Each action gets:
- Unique identifiers (
userId
,action
,idempotencyKey
) - Initial state based on rules evaluation
- Contextual metadata (IP, user agent, custom data)
2. Rule evaluation
When an action is tracked, Authsignal’s rules engine evaluates:- User enrollment status
- Configured rules and conditions
- Risk factors and context
- Custom business logic
3. Challenge flow (if required)
ForCHALLENGE_REQUIRED
actions:
- Generate short-lived token or URL
- User completes authentication via pre-built UI or Client SDKs
- Action state updates to
CHALLENGE_SUCCEEDED
orCHALLENGE_FAILED