This page describes Identity Platform activity logging. For information about audit logging, see Identity Platform audit logging.
Identity Platform integrates with Google Cloud's operations suite to enable project owners to monitor their users' activity. When enabled, Identity Platform generates a log entry for each end-user request received by the API. Log entries include what operation was performed, when it was performed, and all loggable request and response information supplied in the request. Activity logging is disabled by default and can be configured using the Identity Platform APIs. For details, see the Enable Activity Logging section.
Activity logging can affect your logs pricing in Google Cloud's operations suite, as described in the Pricing section on this page.
Activity logging-enabled operations
The follow table summarizes the API operations that can produce activity logs:
| Service | Method |
|---|---|
| google.cloud.identitytoolkit.v1.AccountManagementService | DeleteAccount |
| GetAccountInfo | |
| GetOobCode | |
| ResetPassword | |
| SetAccountInfo | |
| google.cloud.identitytoolkit.v1.AuthenticationService | CreateAuthUri |
| GetRecaptchaParam | |
| SendVerificationCode | |
| SignInWithCustomToken | |
| SignInWithEmailLink | |
| SignInWithGameCenter | |
| SignInWithIdp | |
| SignInWithPassword | |
| SignInWithPhoneNumber | |
| SignUp | |
| VerifyIosClient | |
| google.cloud.identitytoolkit.v1.ProjectConfigService | GetProjectConfig |
Activity log format
Activity log entries can be viewed in Cloud Logging using the Logs Viewer or Cloud SDK. Logs include the following objects:
logNamealways contains Identity Platform activity logs in the following format:projects/[PROJECT_ID]/logs/identitytoolkit.googleapis.com%2Frequestsresourcealways contains theidentitytoolkit_projectresource type.serviceNamealways contains the service name in the following format:identitytoolkit.googleapis.com.protoPayloadcontains the loggable request and/or response information.
Enabling activity logging
Activity logging is disabled by default. You can configure activity logging by using the Identity Platform REST API:
curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" -H 'Authorization: Bearer [AUTH_TOKEN]' -X PATCH -H 'Content-Type: application/json' https://identitytoolkit.googleapis.com/admin/v2/projects/[PROJECT_ID]/config?updateMask=monitoring.requestLogging.enabled
Pricing
Activity logging can affect your logs pricing in Google Cloud's operations suite. For information on log pricing, see Stackdriver pricing.
Logs Exclusions
Google Cloud's operations suite gives you tools to disable all logs ingestion or exclude (discard) log entries you don't want, so that you can minimize any charges for logs over your monthly allotment. For more information about how to exclude certain logs, see Logs Exlcusions.
Sample exclusion filter
The following is an example exlcusion filter that excludes all logs for the
read-only methods GetAccountInfo and GetProjectConfig:
NameCICP.excludeReadOnlyActivityDescriptionExcludes all CICP activity logs forGetAccountInfoandGetProjectConfigendpointsPercent to Exclude100
resource.type="identitytoolkit_project" ( jsonPayload.methodName="google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo" OR jsonPayload.methodName="google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig" )