Tooling for auditing Auth0 MAU

Problem statement

When using Bulk User Exports and sorting by last_login, the count of users that have logged in during a given month is far less than the MAU count retrieved with the Auth0 Management API v2 endpoint for the same month.

Why does the quota link return different results compared to bulk-user exports?


The bulk-user-export endpoint retrieves the users for a determined database connection whithin the tenant specified in the request.
If you are retrieving only the users for one of your Databases, you are missing the users that may be in other Databases in your tenant and logged in that same month.


Using the bulk-export-users is not the most practical way for auditing your External Active Users.

To obtain this information, you can always use the Quota Utilization reports shown in the Support Center or the get_active_users endpoint of the Management API (Auth0 Management API v2).

For MAU, we don’t count the number of logins but rather active usage. The most important measure of usage is the number of active users. We consider a user to be active in a given month if they have generated a log of user activity with its user_id. Each tenant this user logs into will result in a new user profile with a unique user_id on the respective tenant.

To count the MAUs, you should query tenant logs for successful login events.
Auth0 MAU usage calculation also includes, for instance, Refresh Token as a log of user activity. The successful exchange of Refresh Token for Access Token is a successful authentication event. So the following log event types would be considered successful login authentication:

s: Successful login
sepft: Successful exchange of password for token
ssa: Successful silent authentication
seoobft: Successful exchange of Password and OOB Challenge for Access Token
seotpft: Successful exchange of Password and OTP Challenge for Access Token
sercft: Successful exchange of Password and MFA Recovery code for Access Token
sertft: Successful exchange of Refresh Token for Access Token
seacft: Successful exchange of authorization code for Access Token
scoa: Success cross-origin authentication
sens: Successful native social exchange
sede: Successful exchange of device code for Access Tokenx`
si: Successfully accepted a user invitation

Disclaimer: This method should approximate the MAU numbers from the quota reports but might be slightly different due to:

  1. Filtering out usage from the global client.
  2. Plans with ‘Internal’ users that require rules based on email domains to classify them as internal/external.
  3. Legacy plans with ‘Regular/Enterprise’ users, which add complexity to classify users as enterprise or regular based on the connection used to sign up.

Although, you will be limited by the log retention period for your tenant.
In this case, using a Log Streaming service could help you build your way of presenting this data over the long term, but that would require manual setup. More information about Log Streaming is available here: Log Streams.

1 Like