Documentation Index Fetch the complete documentation index at: https://fillout.com/help/llms.txt
Use this file to discover all available pages before exploring further.
This page lists every event type captured by Fillout audit logs. Each event includes a timestamp , actor , outcome , and an event-specific payload with additional details.
Events marked with a security-critical — actions that could affect account security or data integrity.
Authentication Event Description auth.login.successUser logged in successfully. Payload includes the login method (password, google, microsoft, sso). auth.login.failureLogin attempt failed. Payload includes the attempted email and failure reason. auth.logoutUser logged out. auth.impersonateA super-user logged in as another user. Payload includes the target user.
Passwords & MFA Event Description auth.password.resetRequestA password reset email was requested for an account. auth.password.resetCompleteA password was successfully reset via the reset link. auth.password.selfChangeA user changed their own password from settings. auth.password.adminChangeAn admin changed another user’s password. auth.mfa.enableMFA was enabled for a user account. auth.mfa.disableMFA was disabled for a user account.
Sessions & SSO Event Description auth.sso.deprovisionA user was deprovisioned via SSO (WorkOS webhook). auth.session.deleteAllAll sessions were invalidated for a user.
API keys Event Description api.key.enableAPI access was enabled for the organization. api.key.regenerateThe organization’s API key was regenerated. The old key stops working immediately.
Developer apps (OAuth) Event Description developer.app.createA new OAuth application was created. developer.app.deleteAn OAuth application was deleted. developer.app.resetSecretAn OAuth application’s client secret was regenerated.
User management Event Description user.inviteA user was invited to the organization. Payload includes the invited email and role. user.invite.resendAn invitation email was resent. user.invite.revokeA pending invitation was revoked. user.disableA user account was disabled. user.roleChangeA user’s role was changed (e.g., member → admin). Payload includes the new role. user.accessChangeA user’s workspace or resource access was updated. Payload includes the changes.
Organization Event Description org.requireMfaThe organization-wide MFA requirement was toggled. Payload includes whether it was enabled or disabled. org.changeNameThe organization’s name was changed. Payload includes the new name. org.deleteThe organization was deleted.
Groups Event Description group.createA new user group was created. group.renameA group was renamed. Payload includes the old and new names. group.deleteA group was deleted. group.membersChangeMembers were added or removed from a group. Payload includes the count of additions and removals. group.accessChangeA group’s workspace or resource access was updated.
Event payload Every event includes a JSON payload in the detail view with event-specific data. Common payload fields include:
Field Description target.typeThe type of resource affected (e.g., user, organization, group) target.idThe ID of the affected resource target.nameThe display name of the affected resource at the time of the event emailThe email address involved (for auth and invite events) from / toThe old and new values (for rename and role change events) changesThe full set of changes applied (for update events)
