Skip to main content

Overview

System events are generated by WorkOS (our authentication provider) and track identity-related activity across your organization. These events provide visibility into authentication, user lifecycle, and directory sync operations. System events are separate from audit logs and are retained for 30 days.

What System Events Track

System events capture:
  • Authentication attempts - SSO, OAuth, password, and MFA login events
  • User lifecycle events - User creation, updates, and deletion
  • Directory sync activity - User and group provisioning through SCIM
  • Session management - Session creation and termination
  • Password operations - Password resets and changes

Accessing System Events

System events are accessible to organization administrators through the Centure platform.
1

Navigate to System Events

In your organization’s sidebar, click System Events (visible to admins only).
2

View Event History

Browse the chronological list of authentication and identity events for your organization.
3

Filter Events

Use the filters to narrow down events by type, date range, or user.

Event Retention

System events are retained for 30 days. After 30 days, events are automatically deleted and cannot be recovered.
For longer retention periods and compliance requirements, use Audit Logs which offer 30-day or 12-month retention based on your subscription.

Common Event Types

Authentication Events

WorkOS tracks all authentication attempts including:
  • SSO login success and failures
  • OAuth authorization flows
  • Password-based authentication
  • Multi-factor authentication (MFA) attempts
  • Magic link authentication

User Lifecycle Events

WorkOS records user account changes:
  • User account creation (through signup or directory sync)
  • User profile updates (name, email changes)
  • User account deletion or deactivation
  • Email verification and confirmation

Directory Sync Events

For organizations using directory sync:
  • User provisioning from identity provider
  • User deprovisioning and suspension
  • Group membership changes
  • Sync errors and failures

Session Events

Session management tracking:
  • Session creation and authentication
  • Session refresh and token renewal
  • Session termination and logout
  • Concurrent session detection

WorkOS Events Documentation

For detailed information about system event types, schemas, and fields, see the WorkOS Events documentation. WorkOS provides comprehensive documentation for:
  • Complete event type catalog
  • Event payload schemas
  • Webhook integration options
  • Event filtering and querying

System Events vs Audit Logs

Understanding the difference between system events and audit logs:

System Events

Generated by: WorkOS (authentication provider)Tracks: Authentication, user lifecycle, directory syncRetention: 30 daysAccess: Organization admins via System Events page

Audit Logs

Generated by: Centure platformTracks: User actions within Centure (API keys, projects, settings)Retention: 30 days or 12 months (based on subscription)Access: Admins via WorkOS Audit Logs portal

Use Cases

Track system events to:
  • Monitor authentication patterns and detect suspicious login attempts
  • Audit user lifecycle changes for compliance
  • Troubleshoot SSO and directory sync issues
  • Investigate failed authentication attempts
  • Track user provisioning and deprovisioning

Audit Logs

Centure audit logs for platform actions and API activity

SSO Configuration

Single sign-on setup and configuration events

Directory Sync

Directory sync configuration and management

User Events

Centure audit events for user profile access