Feature Request: Logs and audit - Access to application tokens not logged

Hi there,

We are currently trying to leverage the logs provided by Auth0 to implement detection rules in our security monitoring platform, based on specific threat scenarios/use cases.

During this project, we identified that no specific logs are issued when an admin is accessing a Client Secret for an “Application” through both the “Settings” or “Credentials” tabs by clicking on “Reveal Client Secret”.


Normally, any platform should log a specific event for a such sensitive access/action. The only log we have is a “Get a client” with a path set to “/api/v2/clients/CLIENT_ID”. But this is definitely not enough as we need more fine grained details in the logs about what was done by the admin.

As now, this event will be basically triggered each time the Application is accessed, without providing any additional information. But we can access an Application without performing any sensitive action such as revealing the client secret.

So, could you please implement more detailed logs, at least for sensitive actions such as someone accessing to secrets, revealing them, etc.


Hey there!

Thanks for raising this one! As in the previous one you created, I highly encourage you to upvote it so that it gets as many votes as possible. Once we have any updates on that front we’ll get back to you here. Thank you!