# Audit events

Authority emits structured audit records for all credential and bootstrap flows.
Records are deterministic and safe for offline export.

Core fields
- eventType: canonical name such as authority.password.grant.
- occurredAt: UTC timestamp.
- correlationId: stable identifier for tracing.
- outcome: success, failure, lockedOut, rateLimited, error.
- subject: identity fields marked as PII.
- client: OAuth client identity and provider.
- scopes: sorted list of granted or requested scopes.
- network: remote address and user agent (PII).
- properties: additional context such as lockout or tamper flags.

Data classification
- Fields are tagged as None, Personal, or Sensitive.
- Downstream sinks can redact or isolate PII and sensitive fields.

Event naming
- Use authority.<surface>.<action> naming for determinism.
- Examples: authority.token.tamper, authority.bootstrap.invite.created.

Persistence and export
- Stored in Authority login attempt collections with summary fields.
- Exports must honor classification tags and redact PII as required.

Related references
- docs/security/audit-events.md