Audit Event Reference
This is a reference for audit events emitted by Specmatic Insights.
For UI navigation and export setup workflows, see Audit Trail.
Reading Guide
typeis the stable contract key for programmatic handling.detailsis event-specific; fields may be absent unless explicitly documented for thattype.summaryis human-readable and non-contractual; do not parse it for automation.
Event Format
Top-level fields:
| field name | data type | description |
|---|---|---|
id | uuid | Unique audit event ID. |
type | string (enum) | Audit event type (for example AUTH_LOGIN_SUCCESS). |
timestamp | string (ISO-8601 UTC datetime) | Event timestamp in UTC. |
severity | string (enum) | One of INFO, WARN, ERROR. |
summary | string | Human-readable event summary. |
actorType | string (enum) | One of SYSTEM, USER, LICENSE, LEGACY_INSIGHTS_BUILD_REPORTER. |
actorId | string | null | Actor identifier when available. Typically a UUID string; for unauthenticated-user flows this is the literal "(unauthenticated)". |
actorDisplay | string | null | Actor display value (for example email) when available. |
sourceIp | string | null | Source IP when available. |
targetType | string | null | Target entity type when applicable. One of USER, ORGANIZATION, SCIM_GROUP, BUILD, LICENSE. |
targetId | string | null | Target entity identifier when applicable. Treat this as an opaque string in downstream processing. |
details | object | Event-specific payload. Shape depends on type. Present as {} when no event-specific keys are defined. |
Request context fields:
| field name | data type | description |
|---|---|---|
destinationHostname | string | Destination hostname recorded for the request context. Always present. |
httpUserAgent | string | null | HTTP user agent when available. For build submissions and license refresh/poll requests, this contains the version of Specmatic making the call. |
httpReferer | string | null | HTTP referer when available. |
httpMethod | string | null | HTTP method when available. |
httpProtocol | string | null | Request protocol (typically http or https) when available. |
httpPort | number | null | Request port when available (for example 80, 443). |
httpUrl | string | null | Request path with query string (no scheme, host, or port). |
Default severity behavior:
| field name | data type | description |
|---|---|---|
severity for AUTH_LOGIN_FAILED | string | Always WARN. |
severity for AUDIT_EXPORT_FAILED | string | Always ERROR. |
severity for all other event types | string | Defaults to INFO. |
details.error and details.exception are operational diagnostics. Treat these as non-contractual and potentially sensitive in downstream systems.
Event Categories and Details
Authentication
AUTH_LOGIN_SUCCESS
Emitted when authentication succeeds (password login or SSO).
Allowed values:
details.authMethod:password,SAML,OIDC
| field name | data type | description |
|---|---|---|
details.authMethod | string | Authentication method for the successful login (password, SAML, or OIDC). |
Example event:
{
"id": "315f3f7f-59d5-43dd-b8b8-6f3f043ac2a5",
"type": "AUTH_LOGIN_SUCCESS",
"timestamp": "2026-03-10T10:15:30Z",
"severity": "INFO",
"summary": "User user@example.com logged in via OIDC.",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "user@example.com",
"sourceIp": "203.0.113.10",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/login",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/auth/login",
"details": {
"authMethod": "OIDC"
}
}
AUTH_LOGIN_FAILED
Emitted when authentication fails. details may vary by auth flow and failure point.
| field name | data type | description |
|---|---|---|
details.error | string | Error message for login failure. |
details.authMethod | string | Authentication method for the failed login (password, SAML, or OIDC). |
details.registrationId | string | Present when the organization is resolved (for password failures and most SSO failures). |
details.exception | string | Present for onboarding/internal failure variants to indicate exception type. |
Example event:
{
"id": "d0ce4f17-b6d0-40cb-a3c7-5d6eaf279bac",
"type": "AUTH_LOGIN_FAILED",
"timestamp": "2026-03-10T10:16:10Z",
"severity": "WARN",
"summary": "Login failed for user@example.com",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "user@example.com",
"sourceIp": "203.0.113.11",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/login",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/auth/login",
"details": {
"error": "Bad credentials",
"authMethod": "password"
}
}
AUTH_LOGOUT
Emitted when a logged-in user signs out successfully.
| field name | data type | description |
|---|---|---|
details | object | No fixed details fields are currently defined; currently emitted as {}. |
Example event:
{
"id": "521f870f-15ee-4195-a203-63d7c9521db2",
"type": "AUTH_LOGOUT",
"timestamp": "2026-03-10T10:20:00Z",
"severity": "INFO",
"summary": "User user@example.com logged out",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "user@example.com",
"sourceIp": "203.0.113.10",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/profile",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/auth/logout",
"details": {
}
}
User Lifecycle
USER_CREATED
Emitted when a new user account is created (for example invite flow or first-time SSO onboarding).
| field name | data type | description |
|---|---|---|
details | object | Usually {} for invite flow. |
details.authMethod | string | Present for SSO-created users (SAML or OIDC) to indicate which auth method created the user. |
Example event:
{
"id": "fd499cb3-2f7d-43f7-a99b-a7d8678e0f80",
"type": "USER_CREATED",
"timestamp": "2026-03-10T10:25:00Z",
"severity": "INFO",
"summary": "User invitee@example.com created",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/users",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/invite",
"details": {
}
}
USER_INVITED_TO_ORG
Emitted when a user is invited to join an organization through the invite flow. This event captures the invitation action itself, before the invited user actually joins the organization.
| field name | data type | description |
|---|---|---|
targetType | string | ORGANIZATION. |
targetId | string | Organization ID where the invitation was initiated. |
details | object | No fixed details fields are currently defined; currently emitted as {}. |
Example event:
{
"id": "75f496fc-9ca2-4f8a-af59-f4fdbe7d5f73",
"type": "USER_INVITED_TO_ORG",
"timestamp": "2026-03-10T10:26:00Z",
"severity": "INFO",
"summary": "User invitee@example.com invited to Acme Corp by admin@example.com",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/users",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/invite",
"details": {}
}
USER_ADDED_TO_ORG
Emitted when a user is added to an organization. This includes organization creation flows and SSO onboarding flows that add the user to the organization on first login.
| field name | data type | description |
|---|---|---|
targetType | string | ORGANIZATION. |
targetId | string | Organization ID where the user was added. |
details | object | Usually {} for org-create/invite paths. |
details.authMethod | string | Present for SSO onboarding-created additions (SAML or OIDC) to indicate which auth method path. |
Example event:
{
"id": "75f496fc-9ca2-4f8a-af59-f4fdbe7d5f73",
"type": "USER_ADDED_TO_ORG",
"timestamp": "2026-03-10T10:26:00Z",
"severity": "INFO",
"summary": "User invitee@example.com added to Acme Corp",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/users",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/invite",
"details": {
}
}
USER_REMOVED_FROM_ORG
Emitted when a user is removed from the organization. For bulk remove requests, events are emitted only for entries with a successful REMOVED outcome.
| field name | data type | description |
|---|---|---|
details.id | string | Requested user ID for this event. |
details.email | string | Requested user email for this event. |
Example event:
{
"id": "a5db1f1b-a2ff-41d0-b0d3-8a12ea40dc06",
"type": "USER_REMOVED_FROM_ORG",
"timestamp": "2026-03-10T10:27:00Z",
"severity": "INFO",
"summary": "User user@example.com removed from organization by admin@example.com",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/users",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/users/remove/bulk",
"details": {
"id": "9e531045-84b7-46cc-9318-0905c40c122f",
"email": "user@example.com"
}
}
USER_ROLE_CHANGED
Emitted when a user's role is changed (for example via bulk role update in collaborators settings). For bulk role updates, one event is emitted for each successful role change.
| field name | data type | description |
|---|---|---|
details.id | string | User ID whose role changed. |
details.email | string | User email whose role changed. |
details.oldRole | string | Previous role (USER, ORG_ADMIN, or SUPER_ADMIN). |
details.newRole | string | New role (USER, ORG_ADMIN, or SUPER_ADMIN). |
Example event:
{
"id": "8d808c5f-1e20-4cb3-91ad-f9879f12a957",
"type": "USER_ROLE_CHANGED",
"timestamp": "2026-03-10T10:27:30Z",
"severity": "INFO",
"summary": "User user@example.com role changed from USER to ORG_ADMIN by admin@example.com",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/collaborators",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/users/role/bulk",
"details": {
"id": "9e531045-84b7-46cc-9318-0905c40c122f",
"email": "user@example.com",
"oldRole": "USER",
"newRole": "ORG_ADMIN"
}
}
USER_PASSWORD_CHANGED
Emitted when an authenticated user changes password via the settings flow.
| field name | data type | description |
|---|---|---|
details | object | No fixed details fields are currently defined; currently emitted as {}. |
Example event:
{
"id": "f2ce92b1-ddd6-463f-a61e-8d98a77111c4",
"type": "USER_PASSWORD_CHANGED",
"timestamp": "2026-03-10T10:28:00Z",
"severity": "INFO",
"summary": "User user@example.com changed their password.",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "user@example.com",
"sourceIp": "203.0.113.10",
"targetType": "USER",
"targetId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/security",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/users/password",
"details": {}
}
USER_PASSWORD_RESET_REQUESTED
Emitted when a password reset request is accepted for a user. This applies only to organizations that do not use SSO integration.
| field name | data type | description |
|---|---|---|
details | object | No fixed details fields are currently defined; currently emitted as {}. |
Example event:
{
"id": "d3fd691f-a052-48c4-ad36-2ab572e4f0ac",
"type": "USER_PASSWORD_RESET_REQUESTED",
"timestamp": "2026-03-10T10:29:00Z",
"severity": "INFO",
"summary": "User requested password reset",
"actorType": "USER",
"actorId": "(unauthenticated)",
"actorDisplay": "user@example.com",
"sourceIp": "203.0.113.12",
"targetType": "USER",
"targetId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/forgot-password",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/auth/send-password-reset-email",
"details": {}
}
USER_PASSWORD_RESET
Emitted when a password reset is completed (including invite acceptance password set). This applies only to organizations that do not use SSO integration.
| field name | data type | description |
|---|---|---|
details | object | No fixed details fields are currently defined; currently emitted as {}. |
Example event:
{
"id": "bbca84ed-7231-4b9d-8caa-177f2ca2e61a",
"type": "USER_PASSWORD_RESET",
"timestamp": "2026-03-10T10:31:00Z",
"severity": "INFO",
"summary": "Password for user@example.com was reset using a password reset token.",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "user@example.com",
"sourceIp": "203.0.113.12",
"targetType": "USER",
"targetId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/reset-password",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/auth/password-reset",
"details": {}
}
Organization Lifecycle and Configuration updates
ORG_CREATED
Emitted when a new organization is created.
| field name | data type | description |
|---|---|---|
details | object | No fixed details fields are currently defined; currently emitted as {}. |
Example event:
{
"id": "2202299a-98b2-4f8c-b5b6-72ab8ff86d90",
"type": "ORG_CREATED",
"timestamp": "2026-03-10T10:40:00Z",
"severity": "INFO",
"summary": "Organization Acme Corp created by admin@example.com",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/onboarding",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations",
"details": {
}
}
ORG_CONFIG_CHANGED
Emitted for organization-level configuration changes across audit export, license, and organization settings.
Allowed values:
details.configType:auditExport,license,organization
Common fields:
| field name | data type | description |
|---|---|---|
details.configType | string | Configuration scope changed. |
details.before | object | null | Previous configuration snapshot for the selected configType. |
details.after | object | null | New configuration snapshot for the selected configType. |
When details.configType = auditExport:
| field name | data type | description |
|---|---|---|
details.before.enabled | boolean | Previous audit export enabled state. |
details.before.batchSize | number | Previous audit export batch size. |
details.after.enabled | boolean | New audit export enabled state. |
details.after.batchSize | number | New audit export batch size. |
When details.configType = license:
| field name | data type | description |
|---|---|---|
details.before.seatCount | number | Previous configured seat count. |
details.before.individualRateLimit | number | Previous individual rate limit. |
details.before.ciDailyRunLimit | number | Previous CI daily run limit. |
details.before.endDate | string | Previous license end date. |
details.before.licenseType | string | Previous license type. |
details.after.seatCount | number | New configured seat count. |
details.after.individualRateLimit | number | New individual rate limit. |
details.after.ciDailyRunLimit | number | New CI daily run limit. |
details.after.endDate | string | New license end date. |
details.after.licenseType | string | New license type. |
When details.configType = organization:
| field name | data type | description |
|---|---|---|
details.before.name | string | Previous organization name. |
details.before.minCoverageThreshold | number | Previous minimum coverage threshold. |
details.before.maxMissedEndpointsThreshold | number | Previous maximum missed endpoints threshold. |
details.before.seatCountUsageThresholdPercentages | number[] | Previous seat usage alert thresholds. |
details.after.name | string | New organization name. |
details.after.minCoverageThreshold | number | New minimum coverage threshold. |
details.after.maxMissedEndpointsThreshold | number | New maximum missed endpoints threshold. |
details.after.seatCountUsageThresholdPercentages | number[] | New seat usage alert thresholds. |
Example event:
{
"id": "9c94fcf4-1830-4a0e-8a35-0f8e35f0a8fe",
"type": "ORG_CONFIG_CHANGED",
"timestamp": "2026-03-10T11:00:00Z",
"severity": "INFO",
"summary": "Organization license config updated",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/audit",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/license-config",
"details": {
"configType": "license",
"before": {
"seatCount": 50,
"licenseType": "TEAM"
},
"after": {
"seatCount": 75,
"licenseType": "TEAM"
}
}
}
SSO_CONFIG_CHANGED
Emitted when SSO configuration for an organization is created, updated, or disabled.
| field name | data type | description |
|---|---|---|
details.before | object | null | Previous SSO configuration state. |
details.after | object | New SSO configuration state. |
details.before.type | string | Previous SSO type when present (SAML, OIDC, NONE). |
details.after.type | string | New SSO type (SAML, OIDC, NONE). |
details.before.enabled | boolean | Previous SSO enabled state when present. |
details.after.enabled | boolean | New SSO enabled state. |
details.before.spEntityId | string | null | Previous SAML SP entity ID. |
details.after.spEntityId | string | null | New SAML SP entity ID. |
details.before.idpEntityId | string | null | Previous SAML IdP entity ID. |
details.after.idpEntityId | string | null | New SAML IdP entity ID. |
details.before.metadataUrl | string | null | Previous SAML metadata URL. |
details.after.metadataUrl | string | null | New SAML metadata URL. |
details.before.certificate | string | null | Previous SAML certificate. |
details.after.certificate | string | null | New SAML certificate. |
details.before.discoveryUrl | string | null | Previous OIDC discovery URL. |
details.after.discoveryUrl | string | null | New OIDC discovery URL. |
details.before.clientId | string | null | Previous OIDC client ID. |
details.after.clientId | string | null | New OIDC client ID. |
details.before.scopes | string | null | Previous OIDC scopes string. |
details.after.scopes | string | null | New OIDC scopes string. |
clientSecret is intentionally never included in audit event details.
Example event:
{
"id": "680f7a95-f357-4f1d-bfdc-b7f4dc39a9b0",
"type": "SSO_CONFIG_CHANGED",
"timestamp": "2026-03-10T11:10:00Z",
"severity": "INFO",
"summary": "Organization SSO config updated",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/settings/sso",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/sso-config",
"details": {
"before": null,
"after": {
"type": "OIDC",
"enabled": true,
"spEntityId": null,
"idpEntityId": null,
"metadataUrl": null,
"certificate": null,
"discoveryUrl": "https://example.okta.com",
"clientId": "oidc-client-id",
"scopes": "openid profile email"
}
}
}
Build Ingestion
BUILD_SUBMITTED_SERVICE
Emitted when a service build report is submitted and accepted.
For this event, httpUserAgent records the version of Specmatic used to post the build.
| field name | data type | description |
|---|---|---|
details.repo | string | null | Repository name. |
details.repoId | string | null | Repository identifier. |
details.branchName | string | null | Branch name for submitted build. |
details.reportType | string | Build report type. Value is SERVICE for this event. |
Example event:
{
"id": "a7bf7cf3-567b-46f4-bfcd-e4f4fdde8b3a",
"type": "BUILD_SUBMITTED_SERVICE",
"timestamp": "2026-03-10T11:40:00Z",
"severity": "INFO",
"summary": "Build submitted",
"actorType": "LICENSE",
"actorId": "f8e6d960-9816-4215-ad2e-07356da7c11e",
"actorDisplay": "bob@example.com",
"sourceIp": "198.51.100.30",
"targetType": "BUILD",
"targetId": "456",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "specmatic/2.3.1",
"httpReferer": null,
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/builds/reports",
"details": {
"repo": "payments-service",
"repoId": "repo_42",
"branchName": "main",
"reportType": "SERVICE"
}
}
BUILD_SUBMITTED_CENTRAL_REPO
Emitted when a central-repository build report is submitted and accepted.
For this event, httpUserAgent records the version of Specmatic used to post the build.
| field name | data type | description |
|---|---|---|
details.repo | string | null | Repository name. |
details.repoId | string | null | Repository identifier. |
details.branchName | string | null | Branch name for submitted build. |
details.reportType | string | Build report type. Value is CENTRAL_REPO for this event. |
Example event:
{
"id": "966ecb7b-282f-4140-a91b-2f58bd93b59c",
"type": "BUILD_SUBMITTED_CENTRAL_REPO",
"timestamp": "2026-03-10T11:45:00Z",
"severity": "INFO",
"summary": "Build submitted",
"actorType": "LICENSE",
"actorId": "f8e6d960-9816-4215-ad2e-07356da7c11e",
"actorDisplay": "bob@example.com",
"sourceIp": "198.51.100.31",
"targetType": "BUILD",
"targetId": "457",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "specmatic/2.3.1",
"httpReferer": null,
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/builds/reports",
"details": {
"repo": "contracts-central",
"repoId": "repo_87",
"branchName": "main",
"reportType": "CENTRAL_REPO"
}
}
License and Code Lifecycle
LICENSE_CODE_APPROVED
Emitted when a license code is approved for later exchange.
| field name | data type | description |
|---|---|---|
details.code | string | Approved code value. |
details.labels | string[] | Labels associated with the code. |
Example event:
{
"id": "ef98680d-dd8d-45a8-9802-63dd96bcf51d",
"type": "LICENSE_CODE_APPROVED",
"timestamp": "2026-03-10T12:00:00Z",
"severity": "INFO",
"summary": "License code approved by user@example.org",
"actorType": "USER",
"actorId": "3b86d32b-0caa-44a2-9ab6-60f58ed719d7",
"actorDisplay": "user@example.org",
"sourceIp": "198.51.100.40",
"targetType": "ORGANIZATION",
"targetId": "004a2af5-b572-4e23-9ec6-7e6bc1a6957d",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": "https://insights.specmatic.io/dashboard/validate-license?code=ABC-123",
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/orgs/004a2af5-b572-4e23-9ec6-7e6bc1a6957d/licenses/approve-request",
"details": {
"code": "ABC-123",
"labels": [
"enterprise"
]
}
}
LICENSE_ISSUED_FROM_CODE
Emitted when an approved code is exchanged and a license is issued.
| field name | data type | description |
|---|---|---|
details.code | string | Consumed code value. |
details.licenseId | string | Issued license ID. |
details.licensee | string | Licensee field of the generated license. |
details.generatedBy | string | Identity that generated the license. |
details.licenseExpiry | string (ISO-8601 datetime) | License expiry timestamp. |
details.labels | string[] | Labels attached to the issued license/code. |
Example event:
{
"id": "f8f8e5a2-cbd8-4fe5-a4d8-0bbfd82d2991",
"type": "LICENSE_ISSUED_FROM_CODE",
"timestamp": "2026-03-10T12:10:00Z",
"severity": "INFO",
"summary": "License issued to user@example.org from approved code",
"actorType": "USER",
"actorId": "7775ef9b-cca6-4118-86f1-5116cddfcf59",
"actorDisplay": "user@example.org",
"sourceIp": "198.51.100.40",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "specmatic-enterprise/2.3.1",
"httpReferer": null,
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/license/poll?code=ABC-123",
"details": {
"code": "ABC-123",
"licenseId": "153ad73c-d7ee-4cfd-8edb-4c48a9579d08",
"licensee": "user@example.org",
"generatedBy": "user@example.org",
"licenseExpiry": "2027-03-10T00:00:00Z",
"labels": [
"enterprise"
]
}
}
LICENSE_REFRESH
Emitted when license validation results in issuing a refreshed license.
For license refresh/poll requests, httpUserAgent records the version of Specmatic that performed the call.
| field name | data type | description |
|---|---|---|
details.oldLicenseId | string | License ID before refresh. |
details.newLicenseId | string | License ID after refresh. |
Example event:
{
"id": "6b981ec3-5b74-4afa-a180-67f8e37717e7",
"type": "LICENSE_REFRESH",
"timestamp": "2026-03-10T12:20:00Z",
"severity": "INFO",
"summary": "License refreshed for status-check-ci",
"actorType": "LICENSE",
"actorId": "153ad73c-d7ee-4cfd-8edb-4c48a9579d08",
"actorDisplay": "status-check-ci",
"sourceIp": "198.51.100.41",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "specmatic/2.3.1",
"httpReferer": null,
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/orgs/970ce194-6039-413a-9c6f-b514cee9cdff/licenses/status/153ad73c-d7ee-4cfd-8edb-4c48a9579d08",
"details": {
"oldLicenseId": "153ad73c-d7ee-4cfd-8edb-4c48a9579d08",
"newLicenseId": "6f03bc44-7f8c-4eeb-9ba4-5a3f57fd10aa"
}
}
LICENSE_SERVICE_ACCOUNT_CREATED
Emitted when a new service-account license is created.
| field name | data type | description |
|---|---|---|
details.licenseId | string | Created service account license ID. |
details.licensee | string | Service account licensee identifier. |
details.labels | string[] | Labels attached to the service account license. |
Example event:
{
"id": "0c47db5a-f318-40f2-8f68-6401885ec11f",
"type": "LICENSE_SERVICE_ACCOUNT_CREATED",
"timestamp": "2026-03-10T12:25:00Z",
"severity": "INFO",
"summary": "Service account license created by admin@example.org for svc:ci-bot",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.org",
"sourceIp": "198.51.100.42",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": null,
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/orgs/970ce194-6039-413a-9c6f-b514cee9cdff/license",
"details": {
"licenseId": "153ad73c-d7ee-4cfd-8edb-4c48a9579d08",
"licensee": "svc:ci-bot",
"labels": [
"service-account"
]
}
}
LICENSE_REVOKED
Emitted once per revoked license in bulk revoke operations.
| field name | data type | description |
|---|---|---|
details | object | No fixed details fields are currently defined; currently emitted as {}. |
Example event:
{
"id": "86bc0fd2-d96f-44f5-9f0e-9dcb916019a0",
"type": "LICENSE_REVOKED",
"timestamp": "2026-03-10T12:30:00Z",
"severity": "INFO",
"summary": "License for svc:ci-bot revoked by admin@example.org",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.org",
"sourceIp": "198.51.100.43",
"targetType": "LICENSE",
"targetId": "153ad73c-d7ee-4cfd-8edb-4c48a9579d08",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": "Mozilla/5.0",
"httpReferer": null,
"httpMethod": "POST",
"httpProtocol": "https",
"httpPort": 443,
"httpUrl": "/api/orgs/970ce194-6039-413a-9c6f-b514cee9cdff/users/licenses/revoke/bulk",
"details": {}
}
Audit Export Lifecycle
For where organization admins configure audit export in the product UI, see Audit Trail.
AUDIT_EXPORT_STARTED
Emitted when an audit export run starts for an organization.
| field name | data type | description |
|---|---|---|
details.runId | string (uuid) | Audit export run identifier. |
Example event:
{
"id": "6f22797f-d99a-40ff-9d0d-cf51e26e2183",
"type": "AUDIT_EXPORT_STARTED",
"timestamp": "2026-03-10T13:00:00Z",
"severity": "INFO",
"summary": "Audit export started",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": null,
"httpReferer": null,
"httpMethod": null,
"httpProtocol": null,
"httpPort": null,
"httpUrl": null,
"details": {
"runId": "b7ebeb4f-7b63-4bb4-a6c3-8fb8ca565f34"
}
}
AUDIT_EXPORT_COMPLETED
Emitted when an audit export run completes successfully.
| field name | data type | description |
|---|---|---|
details.runId | string (uuid) | Audit export run identifier. |
details.eventsExported | number | Number of events exported in the run. |
details.batches | number | Number of batches exported in the run. |
Example event:
{
"id": "f8c13ebf-e272-4edc-9dc8-c28d30f7c19b",
"type": "AUDIT_EXPORT_COMPLETED",
"timestamp": "2026-03-10T13:04:00Z",
"severity": "INFO",
"summary": "Audit export completed - exported 500 event(s) in 5 batch(es).",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": null,
"httpReferer": null,
"httpMethod": null,
"httpProtocol": null,
"httpPort": null,
"httpUrl": null,
"details": {
"runId": "b7ebeb4f-7b63-4bb4-a6c3-8fb8ca565f34",
"eventsExported": 500,
"batches": 5
}
}
AUDIT_EXPORT_FAILED
Emitted when an audit export run fails after starting.
| field name | data type | description |
|---|---|---|
details.runId | string (uuid) | Audit export run identifier. |
details.eventsExported | number | Number of events exported before failure. |
details.batches | number | Number of batches exported before failure. |
details.error | string | Failure message captured for the run. |
Example event:
{
"id": "3d47fe12-bec1-4e36-9f15-f0e2ac9e95ed",
"type": "AUDIT_EXPORT_FAILED",
"timestamp": "2026-03-10T13:05:00Z",
"severity": "ERROR",
"summary": "Audit export failed. Exported 320 event(s) in 4 batch(es) before failure. Error: Connection timed out while publishing batch 5",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpUserAgent": null,
"httpReferer": null,
"httpMethod": null,
"httpProtocol": null,
"httpPort": null,
"httpUrl": null,
"details": {
"runId": "b7ebeb4f-7b63-4bb4-a6c3-8fb8ca565f34",
"eventsExported": 320,
"batches": 4,
"error": "Connection timed out while publishing batch 5"
}
}
SCIM Config and Token Lifecycle
These events are emitted for organization-level SCIM configuration and token lifecycle changes.
The following three event types share the same details contract shape.
SCIM_CONFIG_CHANGED
Emitted when SCIM enablement state changes for an organization.
| field name | data type | description |
|---|---|---|
details.enabled | boolean | Final persisted SCIM enablement state for the organization after the update request is applied. |
details.tokenConfigured | boolean | Indicates whether a valid SCIM bearer token is configured and usable after the update completes. |
details.tokenId | string | Current SCIM token identifier associated with the org; omitted when no token is configured. |
Example event:
{
"id": "a3216ef8-6168-4c4f-8b16-09e8e7d3225f",
"type": "SCIM_CONFIG_CHANGED",
"timestamp": "2026-04-17T05:40:00Z",
"severity": "INFO",
"summary": "SCIM config updated for organization acme",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.121",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "POST",
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/org-identity",
"details": {
"enabled": true,
"tokenConfigured": false
}
}
SCIM_TOKEN_ROTATED
Emitted when an organization’s SCIM bearer token is rotated.
| field name | data type | description |
|---|---|---|
details.enabled | boolean | SCIM enablement state at the time rotation succeeds (typically unchanged by rotate itself). |
details.tokenConfigured | boolean | Always true for a successful token rotation because a new token is issued and stored. |
details.tokenId | string | Identifier of the newly issued token; this is the value used to correlate subsequent SCIM auth attempts. |
Example event:
{
"id": "bb77b5fb-c88e-4ab2-a00c-c2d3bc31ae7c",
"type": "SCIM_TOKEN_ROTATED",
"timestamp": "2026-04-17T05:41:00Z",
"severity": "INFO",
"summary": "SCIM token rotated for organization acme",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.122",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "POST",
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/org-identity/token/rotate",
"details": {
"enabled": true,
"tokenConfigured": true,
"tokenId": "b9e87456-cdf5-4efa-a4f7-5374b4fd3f2e"
}
}
SCIM_TOKEN_REVOKED
Emitted when an organization’s SCIM bearer token is revoked.
| field name | data type | description |
|---|---|---|
details.enabled | boolean | SCIM enablement state after revoke completes (current flow sets this to false). |
details.tokenConfigured | boolean | Always false because token credentials are cleared as part of revoke processing. |
details.tokenId | string | Omitted after revoke because no active token identifier remains on the organization config. |
Example event:
{
"id": "f14fa00d-ed43-46ee-8de9-ed4ca6f03785",
"type": "SCIM_TOKEN_REVOKED",
"timestamp": "2026-04-17T05:42:00Z",
"severity": "INFO",
"summary": "SCIM token revoked for organization acme",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.123",
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "POST",
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/org-identity/token/revoke",
"details": {
"enabled": false,
"tokenConfigured": false
}
}
SCIM Provisioning Events
These events are emitted for SCIM User and Group provisioning mutations.
Target behavior:
- User provisioning events (
SCIM_USER_*) targetUSERwhen a projected local user exists; otherwise targetORGANIZATION. - Group provisioning events (
SCIM_GROUP_*) targetORGANIZATION.
Common details fields for all SCIM provisioning events:
| field name | data type | description |
|---|---|---|
details.resourceType | string | SCIM resource category (USER or GROUP). |
details.resourceScimId | string | SCIM resource identifier for the mutated user/group. |
details.operation | string | Provisioning operation for the mutation (CREATE, UPDATE, PATCH, DEACTIVATE, REACTIVATE, DELETE). |
details.status | string | Provisioning outcome status; currently SUCCESS. |
details.idempotencyKey | string | Request key recorded with the audit event for traceability across retries/call chains. |
Optional details fields by resource type:
| field name | data type | emitted for | description |
|---|---|---|---|
details.userName | string | SCIM_USER_* | Canonical SCIM userName value persisted for the user link. |
details.projectedUserEmail | string | SCIM_USER_* | Email on projected local user when user projection/linkage exists. |
details.displayName | string | SCIM_GROUP_* | Canonical SCIM group display name at mutation time. |
details.externalId | string | both | Optional IdP-provided external correlation id. |
SCIM_USER_CREATED
Emitted when a SCIM user is provisioned (created).
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for created user events; this event emits CREATE. |
Example event:
{
"id": "868311d7-cf2f-4372-9f5a-1f220cd0d9f5",
"type": "SCIM_USER_CREATED",
"timestamp": "2026-04-17T05:43:00Z",
"severity": "INFO",
"summary": "SCIM user user@example.com provisioned",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "POST",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Users",
"details": {
"resourceType": "USER",
"resourceScimId": "4b56c08a-8565-47cb-af3d-76260da123fe",
"operation": "CREATE",
"status": "SUCCESS",
"idempotencyKey": "b48607d6-f5eb-4851-9252-f8f179583303",
"userName": "user@example.com",
"projectedUserEmail": "user@example.com",
"externalId": "ext-user"
}
}
SCIM_USER_UPDATED
Emitted when a SCIM user is updated via replace semantics (PUT).
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for full replacement mutations; this event emits UPDATE. |
Example event:
{
"id": "df0df66f-8cb2-43ca-88b9-1724e466f009",
"type": "SCIM_USER_UPDATED",
"timestamp": "2026-04-17T05:44:00Z",
"severity": "INFO",
"summary": "SCIM user user.updated@example.com updated",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "PUT",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Users/4b56c08a-8565-47cb-af3d-76260da123fe",
"details": {
"resourceType": "USER",
"resourceScimId": "4b56c08a-8565-47cb-af3d-76260da123fe",
"operation": "UPDATE",
"status": "SUCCESS",
"idempotencyKey": "43af4f5d-a347-4665-b8fb-3d807b315603",
"userName": "user.updated@example.com",
"projectedUserEmail": "user.updated@example.com",
"externalId": "ext-user-updated"
}
}
SCIM_USER_PATCHED
Emitted when a SCIM user is updated via patch semantics (PATCH).
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for partial user mutations; this event emits PATCH. |
Example event:
{
"id": "4a00e7fb-7f85-4b8c-834a-0419917ab12a",
"type": "SCIM_USER_PATCHED",
"timestamp": "2026-04-17T05:44:30Z",
"severity": "INFO",
"summary": "SCIM user user.updated@example.com patched",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "PATCH",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Users/4b56c08a-8565-47cb-af3d-76260da123fe",
"details": {
"resourceType": "USER",
"resourceScimId": "4b56c08a-8565-47cb-af3d-76260da123fe",
"operation": "PATCH",
"status": "SUCCESS",
"idempotencyKey": "e9972cf7-b6f7-4704-8f88-ee61c766f2fb",
"userName": "user.updated@example.com",
"projectedUserEmail": "user.updated@example.com",
"externalId": "ext-user-patched"
}
}
SCIM_USER_DEACTIVATED
Emitted when a SCIM user is deprovisioned with active=false.
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for user deprovision events; this event emits DEACTIVATE. |
Example event:
{
"id": "2bf8cc9b-258b-466d-8da4-5a06dd261f06",
"type": "SCIM_USER_DEACTIVATED",
"timestamp": "2026-04-17T05:45:30Z",
"severity": "INFO",
"summary": "SCIM user user.updated@example.com deactivated",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "PATCH",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Users/4b56c08a-8565-47cb-af3d-76260da123fe",
"details": {
"resourceType": "USER",
"resourceScimId": "4b56c08a-8565-47cb-af3d-76260da123fe",
"operation": "DEACTIVATE",
"status": "SUCCESS",
"idempotencyKey": "03e04af8-7259-4ab3-ac4b-bfd7b82a9e80",
"userName": "user.updated@example.com",
"projectedUserEmail": "user.updated@example.com",
"externalId": "ext-user-patched"
}
}
SCIM_USER_REACTIVATED
Emitted when a previously deactivated SCIM user is reactivated (active=true).
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for restoring a previously deactivated user; this event emits REACTIVATE. |
Example event:
{
"id": "4afb4455-47c0-4462-abf3-a7d0bb12ac93",
"type": "SCIM_USER_REACTIVATED",
"timestamp": "2026-04-17T05:46:00Z",
"severity": "INFO",
"summary": "SCIM user user.updated@example.com reactivated",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "PUT",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Users/4b56c08a-8565-47cb-af3d-76260da123fe",
"details": {
"resourceType": "USER",
"resourceScimId": "4b56c08a-8565-47cb-af3d-76260da123fe",
"operation": "REACTIVATE",
"status": "SUCCESS",
"idempotencyKey": "cf08be29-f9f1-4967-a77a-18926ec191f5",
"userName": "user.updated@example.com",
"projectedUserEmail": "user.updated@example.com",
"externalId": "ext-user-patched"
}
}
SCIM_USER_DELETED
Emitted when a SCIM user is deleted via SCIM DELETE.
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for hard-delete mutations; this event emits DELETE. |
Example event:
{
"id": "2cbf7f3f-b6a4-49d9-ac2e-f6f9c7707f95",
"type": "SCIM_USER_DELETED",
"timestamp": "2026-04-17T05:45:00Z",
"severity": "INFO",
"summary": "SCIM user user@example.com deleted",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "USER",
"targetId": "9e531045-84b7-46cc-9318-0905c40c122f",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "DELETE",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Users/4b56c08a-8565-47cb-af3d-76260da123fe",
"details": {
"resourceType": "USER",
"resourceScimId": "4b56c08a-8565-47cb-af3d-76260da123fe",
"operation": "DELETE",
"status": "SUCCESS",
"idempotencyKey": "user:delete:4b56c08a-8565-47cb-af3d-76260da123fe:7df77c20-2d76-490a-8f14-f04288076926",
"userName": "user@example.com",
"projectedUserEmail": "user@example.com",
"externalId": "ext-user"
}
}
SCIM_GROUP_CREATED
Emitted when a SCIM group is created.
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for created group events; this event emits CREATE. |
Example event:
{
"id": "f0979664-04e4-40a8-a4c3-f4688d6f72c8",
"type": "SCIM_GROUP_CREATED",
"timestamp": "2026-04-17T05:47:00Z",
"severity": "INFO",
"summary": "SCIM group Platform Team provisioned",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "POST",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Groups",
"details": {
"resourceType": "GROUP",
"resourceScimId": "d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"operation": "CREATE",
"status": "SUCCESS",
"idempotencyKey": "group:create:d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"displayName": "Platform Team",
"externalId": "ext-platform-team"
}
}
SCIM_GROUP_UPDATED
Emitted when a SCIM group is updated via replace semantics (PUT).
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for full group replacement mutations; this event emits UPDATE. |
Example event:
{
"id": "728f7e2c-7396-4d73-8dbf-7d995fdf3341",
"type": "SCIM_GROUP_UPDATED",
"timestamp": "2026-04-17T05:47:30Z",
"severity": "INFO",
"summary": "SCIM group Platform Team Updated updated",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "PUT",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Groups/d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"details": {
"resourceType": "GROUP",
"resourceScimId": "d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"operation": "UPDATE",
"status": "SUCCESS",
"idempotencyKey": "group:update:d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"displayName": "Platform Team Updated",
"externalId": "ext-platform-team-updated"
}
}
SCIM_GROUP_PATCHED
Emitted when a SCIM group is updated via patch semantics (PATCH), including membership mutations.
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for partial group/membership mutations; this event emits PATCH. |
Example event:
{
"id": "6f5be68e-e2f0-4f6c-9f87-91db995f5b70",
"type": "SCIM_GROUP_PATCHED",
"timestamp": "2026-04-17T05:48:00Z",
"severity": "INFO",
"summary": "SCIM group Platform Team patched",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "PATCH",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Groups/d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"details": {
"resourceType": "GROUP",
"resourceScimId": "d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"operation": "PATCH",
"status": "SUCCESS",
"idempotencyKey": "group:patch:d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"displayName": "Platform Team",
"externalId": "ext-platform-team"
}
}
SCIM_GROUP_DELETED
Emitted when a SCIM group is deleted via SCIM DELETE.
| field name | data type | description |
|---|---|---|
details.operation | string | Operation discriminator for group deletion mutations; this event emits DELETE. |
Example event:
{
"id": "77a8b8be-ac99-4d6d-a6aa-6e62a3e2c1d8",
"type": "SCIM_GROUP_DELETED",
"timestamp": "2026-04-17T05:48:30Z",
"severity": "INFO",
"summary": "SCIM group Platform Team deleted",
"actorType": "SYSTEM",
"actorId": null,
"actorDisplay": null,
"sourceIp": null,
"targetType": "ORGANIZATION",
"targetId": "970ce194-6039-413a-9c6f-b514cee9cdff",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "DELETE",
"httpUrl": "/66fe6c555e232d36a28fef94/scim/v2/Groups/d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"details": {
"resourceType": "GROUP",
"resourceScimId": "d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"operation": "DELETE",
"status": "SUCCESS",
"idempotencyKey": "group:delete:d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"displayName": "Platform Team",
"externalId": "ext-platform-team"
}
}
SCIM Group Mapping Events
These events are emitted for Insights-side SCIM group mapping changes (role/identity mapping), separate from SCIM provisioning events.
SCIM_GROUP_MAPPING_CHANGED
Emitted when an org admin updates the Insights role/identity mapping for one or more SCIM groups. One event is emitted per changed group.
| field name | data type | description |
|---|---|---|
targetType | string | Always SCIM_GROUP. |
targetId | string | SCIM group ID whose mapping changed. |
details.resourceScimId | string | SCIM group ID (same value as targetId). |
details.displayName | string | SCIM group display name at the time of update. |
details.externalId | string | Optional SCIM group external ID when present. |
details.before.insightsRole | string | Previous Insights role mapping (USER or ORG_ADMIN). |
details.before.insightsIdentityType | string | Previous identity mapping (HUMAN_IDENTITY or NON_HUMAN_IDENTITY). |
details.after.insightsRole | string | New Insights role mapping (USER or ORG_ADMIN). |
details.after.insightsIdentityType | string | New identity mapping (HUMAN_IDENTITY or NON_HUMAN_IDENTITY). |
Example event:
{
"id": "6fa7583a-777d-4633-8ecf-4cdb60dd7b82",
"type": "SCIM_GROUP_MAPPING_CHANGED",
"timestamp": "2026-04-26T06:48:10Z",
"severity": "INFO",
"summary": "SCIM group mapping changed for Platform Team",
"actorType": "USER",
"actorId": "600a88a8-b41b-403c-8e0c-f462cfd94288",
"actorDisplay": "admin@example.com",
"sourceIp": "203.0.113.20",
"targetType": "SCIM_GROUP",
"targetId": "d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"destinationHostname": "insights.specmatic.io",
"httpMethod": "POST",
"httpUrl": "/api/organizations/970ce194-6039-413a-9c6f-b514cee9cdff/scim-groups/mapping",
"details": {
"resourceScimId": "d8d7cf67-3d25-4cde-a3be-4798ba45b742",
"displayName": "Platform Team",
"externalId": "ext-platform-team",
"before": {
"insightsRole": "USER",
"insightsIdentityType": "HUMAN_IDENTITY"
},
"after": {
"insightsRole": "ORG_ADMIN",
"insightsIdentityType": "NON_HUMAN_IDENTITY"
}
}
}