Skip to main content

Live event streams

You can stream events (sign-ups, logins, machine-to-machine tokens issued, and many more) in real-time, live as they happen in your Ory Network project, to your own infrastructure. Pipe those events into your own data warehouse, data lake, or flavor of choice, and use them to power your own analytics, dashboards, data science, and more.

Live event streams are available for Ory Network enterprise contracts. Talk to your account manager or reach out directly to find out more.

info

You workload is not running on AWS or you don't want to use SNS? Reach out to discuss your requirements!

Stream to AWS SNS

Configuring AWS SNS as an event stream destination is easy and requires no exchange of confidential information.

  1. Create an AWS SNS topic, and record its ARN (Amazon Resource Name), for example:
arn:aws:sns:us-east-1:123456789012:my-topic
  1. Create an AWS IAM role with publish permission to that topic. Sample IAM policy:
IAM role policy (replace <YOUR TOPIC ARN> with your topic ARN created above)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OryNetworkEventStreamPublish",
"Effect": "Allow",
"Action": ["sns:Publish"],
"Resource": ["<YOUR TOPIC ARN>"]
}
]
}

Record the ARN of the IAM role you created, for example:

arn:aws:iam::123456789012:role/ory-network-event-streamer
  1. Attach the following trust policy to the IAM role you created in step 2, replacing <YOUR PROJECT UUID> with your project ID:
Trust policy (replace <YOUR PROJECT UUID>)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "601538168777"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<YOUR PROJECT UUID>"
}
}
}
]
}

This allows Ory Network to assume the role in your AWS account, and publish to your SNS topic.

  1. Use the Ory CLI to configure the event stream, replacing the ARNs with those recorded in steps 1 and 2:
ory create event-stream
--project "$YOUR_PROJECT_ID" \
--type sns \
--aws-sns-topic-arn "$YOUR_TOPIC_ARN" \
--aws-iam-role-arn "$YOUR_IAM_ROLE_ARN"
  1. You are now ready to receive events in your AWS SNS topic!
tip

For development purposes, you can subscribe an email address to your topic, and receive events via email. For production use, subscribe AWS SQS, AWS Kinesis Data Firehose, or any other AWS service that can consume events from an SNS topic. Check the AWS documentation for ideas.

Retry policy

If your event stream destination is unavailable or misconfigured, Ory Network will retry sending the event multiple times with an exponential backoff between attempts.

Event descriptions

Ory emits events for many different actions. The following is a list of all events that are currently supported. This list is not exhaustive, and there might by additional events being emitted.

Ory Identities

EventDescription
SessionIssuedA new session has been initiated for a user.
SessionChangedThe session details have been modified or updated.
SessionLifespanExtendedThe duration of the session has been extended, allowing the user to remain authenticated longer.
SessionRevokedThe session has been explicitly terminated or invalidated.
SessionCheckedA check has been performed to verify the session's validity or status.
SessionTokenizedAsJWTThe session has been converted into a JWT (JSON Web Token) for authentication purposes.
RegistrationFailedA user's attempt to register has failed due to errors or invalid data.
RegistrationSucceededA user has successfully registered and created an account.
LoginFailedA user's login attempt has failed, possibly due to incorrect credentials.
LoginSucceededA user has successfully logged into their account.
SettingsFailedAn attempt to change account or session settings has failed.
SettingsSucceededChanges to account or session settings have been successfully applied.
RecoveryFailedA password or account recovery attempt has failed.
RecoverySucceededA password or account recovery attempt has succeeded.
VerificationFailedA user's identity verification attempt has failed.
VerificationSucceededA user's identity verification has been successfully completed.
IdentityCreatedA new identity (user or account) has been successfully created.
IdentityUpdatedAn existing identity's details have been modified or updated.
IdentityDeletedAn identity has been deleted from the system.
WebhookDeliveredA webhook has been sent to the configured endpoint for processing.
WebhookSucceededA webhook has been successfully processed and acknowledged by the receiving endpoint.
WebhookFailedA webhook delivery or processing has failed at the receiving endpoint.

Ory OAuth2

EventDescription
OAuth2LoginAcceptedA user's OAuth2 login has been accepted and the authentication process is successful.
OAuth2LoginRejectedA user's OAuth2 login attempt has been rejected due to invalid credentials or authorization issues.
OAuth2ConsentAcceptedThe user has accepted the consent screen, granting requested permissions to the OAuth2 client.
OAuth2ConsentRejectedThe user has rejected the consent screen, refusing to grant the requested permissions.
OAuth2ConsentRevokedThe user has revoked previously granted consent for an OAuth2 client, removing its permissions.
OAuth2ClientCreatedA new OAuth2 client (application) has been created and registered in the system.
OAuth2ClientDeletedAn OAuth2 client has been deleted from the system.
OAuth2ClientUpdatedAn existing OAuth2 client's details have been updated or modified.
OAuth2AccessTokenIssuedAn OAuth2 access token has been successfully issued to a client or user.
OAuth2TokenExchangeErrorAn error occurred during the OAuth2 token exchange process, possibly due to invalid requests.
OAuth2AccessTokenInspectedAn OAuth2 access token has been inspected to verify its validity or check its claims.
OAuth2AccessTokenRevokedAn OAuth2 access token has been revoked, invalidating it for future use.
OAuth2RefreshTokenIssuedA refresh token has been successfully issued, allowing the client to obtain a new access token.
OIDCIdentityTokenIssuedAn OpenID Connect (OIDC) identity token has been issued to authenticate the user's identity.

Ory Permissions

EventDescription
RelationtuplesCreatedA new relation tuple has been created, representing a relationship between entities.
RelationtuplesDeletedAn existing relation tuple has been deleted, removing the relationship between entities.
RelationtuplesChangedA relation tuple has been modified, indicating a change in the relationship between entities.
PermissionsExpandedPermissions have been expanded, likely increasing access or privileges for certain users or entities.
PermissionsCheckedA permission check has been performed to verify if access is allowed for a given action or resource.