Overview
This article details how to monitor change password email requests using monitoring events in the Auth0 logs and configuring log streams in Auth0.
This recommendation is provided as an alternative to trying to include a CC or BCC on a change password email request.
Applies To
- Change password email
- Password reset
- Email template
Solution
When attempting to monitor change password emails, currently sending a ‘CC’ or ‘BCC’ email for the change password email is not supported. When a “change password” email is forwarded to a third party, the control over sensitive account information is lost. The recipient of the email gains direct access to password reset links and other confidential data, increasing the chances of unauthorized access.
Forwarding such sensitive emails can lead to serious issues, such as
- Unapproved account takeovers.
- Replicate legitimate Auth0 emails to carry out phishing attacks.
- Makes tracking and auditing who accessed the reset information more difficult
Recommended Approach: Monitoring Events Using Auth0 Logs + Configuring Log Streams in Auth0
A more secure option is to use Auth0’s logging and monitoring features, which provide detailed insights into account activities without exposing sensitive information.
Auth0 provides a Management API, which makes it possible to programmatically retrieve logs. For details, refer to Retrieve Log Events Using the Management API. By using this API, it is possible to set up a script or automation tool that regularly pulls logs for specific events, such as account blocks or resets.
For a more integrated and scalable solution, you can stream these logs to external logging services like AWS Eventbridge, Splunk, or Datadog. For more details, see Log Streams.
Once the logs are in a centralized system, monitoring rules can be set that look for specific events. For example, configuring the system to detect when a Successful change password request (scpr) event occurs. Refer to Log Stream Filters for information on configuring filters.