Ghost app hitting our API constantly

Our API got hit constantly by a ghost application to update user. The client_id in the log does not match any of our application and on the log page, it simply shows as N/A. Anyone seen this before? How can we find the root cause?

We have a guess that it is caused by
We turned off all of our backend stuff and just refresh our react page causes that mystery update

You can click on the title of the log entry to reveal more information. Maybe there’s a bit more to see. You should also see a type attribute, referring to the Log Event Codes. Maybe there’s some more info to see in there?
A user update via API should not come from a SPA, as it requires a client secret and that’s not something that’s protected in a SPA, therefore I assume it must be coming from somewhere else.

Full log:

“date”: “2020-03-11T18:21:55.891Z”,
“type”: “sapi”,
“description”: “Update a user”,
“client_id”: “TdRe9ce6wEFyGm1kYr2pexT1wtXNbADt”,
“client_name”: “”,
“ip”: “”,
“user_agent”: “Other 0.0.0 / Other 0.0.0”,
“details”: {
“request”: {
“method”: “patch”,
“path”: “/api/v2/users/auth0%7CAc331tMv1u”,
“query”: {},
“userAgent”: “node-superagent/1.8.5”,
“body”: {
“app_metadata”: {
“org_key”: “JHTNEzuqga”
“channel”: “api”,
“ip”: “”,
“auth”: {
“user”: {},
“strategy”: “jwt”,
“credentials”: {
“jti”: “9fce069d915ea1a18172890e928c29be”,
“scopes”: [
“response”: {
“statusCode”: 200,
“body”: {
“created_at”: “2020-02-20T18:48:50.226Z”,
“email”: “”,
“email_verified”: true,
“identities”: [
“user_id”: “Ac331tMv1u”,
“provider”: “auth0”,
“connection”: “Username-Password-Authentication”,
“isSocial”: false
“name”: “”,
“nickname”: “gordon.sun+1”,
“picture”: “”,
“updated_at”: “2020-03-11T18:21:55.879Z”,
“user_id”: “auth0|Ac331tMv1u”,
“last_password_reset”: “2020-02-28T19:44:27.408Z”,
“user_metadata”: {
“finishedOnboarding”: false
“app_metadata”: {
“org_key”: “JHTNEzuqga”
“last_ip”: “”,
“last_login”: “2020-03-11T02:45:36.592Z”,
“logins_count”: 40
“log_id”: “90020200311182201764000463908535086737454848857341952130”,
“_id”: “90020200311182201764000463908535086737454848857341952130”,
“isMobile”: false

Thanks for the log, I recommend though to remove anything sensitive in it, such as email addresses, etc.
And can you please DM me your tenant name and region. (Nevermind: I found it).

I see that you have a Rule enabled called “Set app metadata” which makes a call to the Management API, updating user metadata. I highly believe the log is coming from there.

You can check your Dashboard > Rules > Set app metadata.

Also check if you have any Hooks enabled? (Dashboard > Hooks)

Thank you so much @mathiasconradt !
It’s something setup before my time. Do you think Auth0 can make a change to somehow tie the mystery client id to the rules to make discovery easier?

That mysterious clientID is a special client used to represent a client named “All Applications”. You should see it when you fetch all clients via Management API (you can test it in the API Explorer).
But I will take that feedback in to the product team. I agree, it should get a proper label in the event logs.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.