Stay organized with collections Save and categorize content based on your preferences.

Activity logging

This document describes how to use Cloud Logging for activity logging with Identity Platform.

Enabling activity logging

Activity logging is disabled by default. You can enable activity logging using the REST API:

curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \
  -H 'Authorization: Bearer auth-token' \
  -X PATCH -H 'Content-Type: application/json' \
  https://identitytoolkit.googleapis.com/admin/v2/projects/project-id/config?updateMask=monitoring.requestLogging.enabled

Enabling activity logging can affect your billing. See Google Cloud's operations suite pricing to learn more.

Enabling activity logging for tenant projects

Activity logging for tenant projects is disabled by default. You can enable activity logging for tenant projects, using the REST API, by executing the following command:

curl -d "{'monitoring':{'requestLogging':{'enabled':true}}}" \
  -H 'Authorization: Bearer AUTH_TOKEN' \
  -X PATCH -H 'Content-Type: application/json' \
  https://identitytoolkit.googleapis.com/v2/projects/PROJECT_ID/tenants/TENANT_ID?updateMask=monitoring.requestLogging.enabled

Replace the following: *AUTH_TOKEN: the auth token. *PROJECT_ID: the project ID. *TENANT_ID: the tenant ID.

Enabling activity logging can affect your billing. See Pricing for Google Cloud's operations suite to learn more.

Viewing activity logs

When Logging is enabled, a log entry is generated for each user request. Each log entry includes the following fields:

Field Description
logName projects/project-id/logs/identitytoolkit.googleapis.com/requests
resource identitytoolkit_project or identitytoolkit_tenant
serviceName identitytoolkit.googleapis.com
protoPayload The logged request or response.

You can see your project or tenant's activity logs using the Logs Explorer. To view logs:

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to the Logs Explorer page

  2. Select Identity Toolkit Project or Identity Toolkit Tenant from the resources dropdown. If you're using multi-tenancy, you can show all tenants, or filter to a specific one.

Logged operations

The follow table lists the API operations that can produce activity logs:

Service Method
google.cloud.identitytoolkit.v1.AccountManagementService DeleteAccount
GetAccountInfo
GetOobCode
ResetPassword
SetAccountInfo
google.cloud.identitytoolkit.v1.AuthenticationService CreateAuthUri
GetRecaptchaParam
SendVerificationCode
SignInWithCustomToken
SignInWithEmailLink
SignInWithGameCenter
SignInWithIdp
SignInWithPassword
SignInWithPhoneNumber
SignUp
VerifyIosClient
google.cloud.identitytoolkit.v1.ProjectConfigService GetProjectConfig

Excluding operations

Logging gives you tools to disable log ingestion or exclude log entries you don't want. For more information about how to exclude certain logs, see Logs Exclusions.

The following example shows how to exclude logs for the read-only GetAccountInfo() and GetProjectConfig() methods:

resource.type="identitytoolkit_project"
(
 jsonPayload.methodName="google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo"
 OR
 jsonPayload.methodName="google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig"
)