Back to Blog

Add Audit Log Streaming to Auth0 authentication in < 2 mins

Pranav Shikarpur
Pranav Shikarpur

In a world where hackers are trying to brute force user accounts (23andMe breach 2023), it is vital for developers to maintain a long-lasting and tamper-proof audit log of all authentication events to keep their apps secure.

While many companies use Auth0 as an authentication provider, its log data retention periods ONLY range from 1-30 days depending on the Auth0 subscription level. Although this span may seem useful for application debugging, it’s not optimal for meeting compliance requirements due to such short retention periods.

Thus, adding log streaming with Pangea allows you to keep your Auth0 authentication setup while using Pangea to retain logs for up to 10 years! The best part is that everything can be configured directly in the Auth0 dashboard without any changes to your code base.

What are the Advantages of a Tamperproof Audit Log?

If you’re just interested in implementing audit log streaming for Auth0, you can skip ahead to the next section. No offense taken 😉

  • Identify Risk of Exposure

A robust tamperproof audit log can help quickly assess the risk of exposure after a data breach since you have logs of all user events and critical user actions that occurred in our app.

  • Tamperproof logs

Since message hashes of Pangea Audit Logs have been designed to be stored in a cryptographically secure hash-tree called “Merkle Trees”, the logs are tamperproof and cryptographically verifiable. Thus Pangea Audit Logs can neither be changed nor destroyed once created.

  • Asynchronous Logging

Since Pangea Audit Logs can be implemented asynchronously with our authentication system and APIs, it doesn’t affect the performance of our web apps.

TLDR; How do I build it in?

In this tutorial, I will demonstrate how easy it is to add Pangea’s tamperproof audit log API to your Auth0 authentication setup in just a few clicks. No changes to your codebase are needed 😅

Step 1: Create an account on pangea.cloud

Head over to pangea.cloud and create an account for free. Then in the developer console, enable the “Secure Audit Log” service and select the Auth-vX.X.X Log Streaming for the schema template.

Step 2: Create an event stream in Auth0 Dashboard

In your Auth0 dashboard, go to Monitoring >> Streams and click Create Stream. Under the event stream options, select Custom Webhook

Step 3: Copy your Pangea credentials to setup the webhook

In the Custom Webhook setup window, you’ll be asked to input the following:

  • Payload URL - Enter the URL for your Pangea project log-streaming endpoint. You can find it here.

  • Authorization Token - Enter the Authorization header value to access your Secure Audit Log configuration. This would be Bearer <insert_pangea_token>

  • Content Type - Leave it as application/json.

  • Content Format - Select JSON Object.

Then you can hit Save! Now, if you head over to the Health tab under the newly created webhook, you should see a success message saying your webhook is Active.

Here’s a quick video on configuring your webhook with Pangea credentials:

Finally, heading over to my react app pre-configured with my Auth0 credentials, let’s log in and log out. To check that our audit logs are being streamed let us head over to the Pangea Console under Audit Log >> View Logs. In here, we should see new logs populated from our app streamed straight from Auth0.

Let's test it out!

Get updates in your inbox and subscribe to our newsletter

background landmass

We were recognized by Gartner®!

Pangea is a Sample Vendor for Composable Security APIs in the 2024 App Sec Hype Cycle report