Activity logging

This document describes how to use Cloud Logging for activity logging with Identity Platform.

Enabling activity logging

Activity logging is disabled by default. You can enable activity logging using the REST API:

curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \
  -H 'Authorization: Bearer auth-token' \
  -X PATCH -H 'Content-Type: application/json' \
  https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/config?updateMask=monitoring.requestLogging.enabled

Enabling activity logging may affect your billing. See Pricing for Google Cloud's operations suite to learn more.

Viewing activity logs

When Logging is enabled, a log entry is generated for each user request. Each log entry includes the following fields:

Field Description
logName projects/project-id/logs/identitytoolkit.googleapis.com/requests
resource identitytoolkit_project
serviceName identitytoolkit.googleapis.com
protoPayload The logged request or response.

You can see your project or tenant's activity logs using the Logs Viewer. To view logs:

  1. In the Cloud Console, go to the Logs Viewer page.

    Go to the Logs Viewer page

  2. Select Identity Toolkit Project or Identity Toolkit Tenant from the resources dropdown. If you're using multi-tenancy, you can show all tenants, or filter to a specific one.

Logged operations

The follow table lists the API operations that can produce activity logs:

Service Method
google.cloud.identitytoolkit.v1.AccountManagementService DeleteAccount
GetAccountInfo
GetOobCode
ResetPassword
SetAccountInfo
google.cloud.identitytoolkit.v1.AuthenticationService CreateAuthUri
GetRecaptchaParam
SendVerificationCode
SignInWithCustomToken
SignInWithEmailLink
SignInWithGameCenter
SignInWithIdp
SignInWithPassword
SignInWithPhoneNumber
SignUp
VerifyIosClient
google.cloud.identitytoolkit.v1.ProjectConfigService GetProjectConfig

Excluding operations

Logging gives you tools to disable log ingestion or exclude log entries you don't want. For more information about how to exclude certain logs, see Logs Exclusions.

The following example shows how to exclude logs for the read-only GetAccountInfo() and GetProjectConfig() methods:

resource.type="identitytoolkit_project"
(
 jsonPayload.methodName="google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo"
 OR
 jsonPayload.methodName="google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig"
)