> ## Documentation Index
> Fetch the complete documentation index at: https://docs.centure.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Portal Access Events

> Events generated when administrators access WorkOS audit log and stream management portals

<Info>
  Audit logging requires the Audit Logging add-on. See [Add-ons pricing](/pricing/add-ons) for details.
</Info>

## Overview

These events track when organization administrators generate portal URLs to access WorkOS management interfaces. These are meta-events that record when admins request access to audit logging configuration—they do not track changes to log streams or audit log configurations themselves.

Both events follow identical schemas and differ only in the portal type being accessed:

* `audit_logs.create_management_portal_url` - Tracks portal URL generation for viewing and exporting audit logs
* `log_streams.create_management_portal_url` - Tracks portal URL generation for configuring SIEM integrations and log streaming

## audit\_logs.create\_management\_portal\_url

Triggered when an organization administrator generates a portal URL to access the WorkOS Audit Logs management interface.

### When This Event Occurs

This event records when an admin:

* Opens the audit logs portal from organization settings
* Generates a URL to view, search, or export audit logs
* Accesses the audit logs management interface for compliance review

### Event Schema

<ResponseField name="action" type="string" required>
  `audit_logs.create_management_portal_url`
</ResponseField>

<ResponseField name="actor" type="object" required>
  The administrator accessing the audit logs portal

  <Expandable title="properties">
    <ResponseField name="type" type="string" required>
      Always `"user"`
    </ResponseField>

    <ResponseField name="id" type="string" required>
      User's unique identifier
    </ResponseField>

    <ResponseField name="name" type="string" required>
      User's full name (first name + last name)
    </ResponseField>

    <ResponseField name="metadata" type="object" required>
      <Expandable title="properties">
        <ResponseField name="first_name" type="string" required>
          User's first name
        </ResponseField>

        <ResponseField name="last_name" type="string" required>
          User's last name
        </ResponseField>

        <ResponseField name="email" type="string" required>
          User's email address
        </ResponseField>

        <ResponseField name="impersonator_email" type="string">
          Email of admin impersonating the user (empty string if not impersonated)
        </ResponseField>

        <ResponseField name="impersonator_reason" type="string">
          Reason provided for impersonation (empty string if not impersonated)
        </ResponseField>
      </Expandable>
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="targets" type="array" required>
  <Expandable title="target object">
    <ResponseField name="type" type="string" required>
      Always `"organization"`
    </ResponseField>

    <ResponseField name="id" type="string" required>
      Organization's unique identifier
    </ResponseField>

    <ResponseField name="name" type="string" required>
      Organization's display name
    </ResponseField>

    <ResponseField name="metadata" type="object" required>
      <Expandable title="properties">
        <ResponseField name="name" type="string" required>
          Organization's display name
        </ResponseField>
      </Expandable>
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="context" type="object" required>
  <Expandable title="properties">
    <ResponseField name="location" type="string" required>
      IP address of the request, or `"unknown"` if unavailable
    </ResponseField>

    <ResponseField name="userAgent" type="string" required>
      User agent string from the request, or `"unknown"` if unavailable
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="metadata" type="object" required>
  <Expandable title="properties">
    <ResponseField name="source" type="string" required>
      Page route where portal access was initiated (e.g., `/organizations/{id}/audit-logs`)
    </ResponseField>
  </Expandable>
</ResponseField>

### Example Event

```json theme={null}
{
  "action": "audit_logs.create_management_portal_url",
  "occurredAt": "2024-11-02T19:30:00.000Z",
  "version": 1,
  "actor": {
    "type": "user",
    "id": "user_01JA2B3C4D5E6F7G8H9J0K1M",
    "name": "Jane Smith",
    "metadata": {
      "first_name": "Jane",
      "last_name": "Smith",
      "email": "jane.smith@example.com",
      "impersonator_email": "",
      "impersonator_reason": ""
    }
  },
  "targets": [
    {
      "type": "organization",
      "id": "org_01JA2B3C4D5E6F7G8H9J0K1M",
      "name": "Example Corp",
      "metadata": {
        "name": "Example Corp"
      }
    }
  ],
  "context": {
    "location": "203.0.113.42",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36"
  },
  "metadata": {
    "source": "/organizations/org_01JA2B3C4D5E6F7G8H9J0K1M/audit-logs"
  }
}
```

***

## log\_streams.create\_management\_portal\_url

Triggered when an organization administrator generates a portal URL to access the WorkOS Log Streams management interface for SIEM integrations.

### When This Event Occurs

This event records when an admin:

* Opens the log streams portal from organization settings
* Generates a URL to configure SIEM integrations
* Accesses log streaming settings to connect to external security platforms (Splunk, Datadog, etc.)

### Event Schema

<ResponseField name="action" type="string" required>
  `log_streams.create_management_portal_url`
</ResponseField>

<ResponseField name="actor" type="object" required>
  The administrator accessing the log streams portal

  <Expandable title="properties">
    <ResponseField name="type" type="string" required>
      Always `"user"`
    </ResponseField>

    <ResponseField name="id" type="string" required>
      User's unique identifier
    </ResponseField>

    <ResponseField name="name" type="string" required>
      User's full name (first name + last name)
    </ResponseField>

    <ResponseField name="metadata" type="object" required>
      <Expandable title="properties">
        <ResponseField name="first_name" type="string" required>
          User's first name
        </ResponseField>

        <ResponseField name="last_name" type="string" required>
          User's last name
        </ResponseField>

        <ResponseField name="email" type="string" required>
          User's email address
        </ResponseField>

        <ResponseField name="impersonator_email" type="string">
          Email of admin impersonating the user (empty string if not impersonated)
        </ResponseField>

        <ResponseField name="impersonator_reason" type="string">
          Reason provided for impersonation (empty string if not impersonated)
        </ResponseField>
      </Expandable>
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="targets" type="array" required>
  <Expandable title="target object">
    <ResponseField name="type" type="string" required>
      Always `"organization"`
    </ResponseField>

    <ResponseField name="id" type="string" required>
      Organization's unique identifier
    </ResponseField>

    <ResponseField name="name" type="string" required>
      Organization's display name
    </ResponseField>

    <ResponseField name="metadata" type="object" required>
      <Expandable title="properties">
        <ResponseField name="name" type="string" required>
          Organization's display name
        </ResponseField>
      </Expandable>
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="context" type="object" required>
  <Expandable title="properties">
    <ResponseField name="location" type="string" required>
      IP address of the request, or `"unknown"` if unavailable
    </ResponseField>

    <ResponseField name="userAgent" type="string" required>
      User agent string from the request, or `"unknown"` if unavailable
    </ResponseField>
  </Expandable>
</ResponseField>

<ResponseField name="metadata" type="object" required>
  <Expandable title="properties">
    <ResponseField name="source" type="string" required>
      Page route where portal access was initiated (e.g., `/organizations/{id}/audit-logs`)
    </ResponseField>
  </Expandable>
</ResponseField>

### Example Event

```json theme={null}
{
  "action": "log_streams.create_management_portal_url",
  "occurredAt": "2024-11-02T19:45:00.000Z",
  "version": 1,
  "actor": {
    "type": "user",
    "id": "user_01JA2B3C4D5E6F7G8H9J0K1M",
    "name": "Jane Smith",
    "metadata": {
      "first_name": "Jane",
      "last_name": "Smith",
      "email": "jane.smith@example.com",
      "impersonator_email": "",
      "impersonator_reason": ""
    }
  },
  "targets": [
    {
      "type": "organization",
      "id": "org_01JA2B3C4D5E6F7G8H9J0K1M",
      "name": "Example Corp",
      "metadata": {
        "name": "Example Corp"
      }
    }
  ],
  "context": {
    "location": "203.0.113.42",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36"
  },
  "metadata": {
    "source": "/organizations/org_01JA2B3C4D5E6F7G8H9J0K1M/audit-logs"
  }
}
```

***

## Common Fields

Both events share the same structure and only differ in the `action` field. They track administrative access to audit log infrastructure rather than changes to resources.

### Authorization

These events are only generated when:

* The user has the `admin` role in the organization
* The organization has the Audit Logging add-on enabled
* The user successfully generates a WorkOS portal URL

### Portal URLs

Generated portal URLs:

* Redirect users to the WorkOS management interface
* Are temporary and expire after use
* Include `successUrl` and `returnUrl` parameters to return to the Centure dashboard
* Grant access to either audit logs (view/export) or log streams (SIEM configuration)

### Use Cases

Track these events to:

* Monitor who accesses audit log management capabilities
* Audit administrative access to compliance tools
* Track SIEM configuration changes (via log streams portal access)
* Detect unusual access patterns to security infrastructure
