Skip to main content
Version: 4.x

Audit Logs

Audit Logs give you a detailed, searchable record of authentication events on your site. Every login attempt, registration, password reset, OAuth flow, 2FA challenge, API key action, and settings change can be captured and stored in your WordPress database.

Audit logging is disabled by default. Enable it in Settings → Simple JWT Login → Audit Logs → Config.


Configuration

Audit Logging configuration

Enable Audit Logging

Toggle the Enable Audit Logging switch at the top of the Audit Logs configuration page.

Events to Log

Choose which events to capture. You can enable all events at once using the Enable All button, or pick individual events using the checkboxes. Use the search box to filter the list.

The full list of trackable events:

Authentication events

Event keyLabelDescription
auth.login.successLogin SuccessA JWT was successfully generated for a user
auth.login.failedLogin FailedAuthentication failed (wrong credentials, disabled, etc.)
auth.logout.successLogout (Token Revoked)A JWT was successfully revoked
auth.logout.failedLogout FailedToken revocation failed
auth.register.successRegister SuccessA new WordPress user was created via the API
auth.register.failedRegister FailedUser registration failed
auth.password_reset.requestPassword Reset RequestA password reset code was requested
auth.password_reset.successPassword Reset SuccessPassword successfully changed
auth.password_reset.failedPassword Reset FailedPassword change failed
auth.delete_user.successDelete User SuccessA user account was deleted via the API
auth.delete_user.failedDelete User FailedUser deletion failed
auth.login_session.successAuto-Login Session SuccessAuto-login via JWT completed successfully
auth.login_session.failedAuto-Login Session FailedAuto-login via JWT failed
auth.refresh_token.successRefresh Token SuccessA JWT was successfully refreshed
auth.refresh_token.failedRefresh Token FailedToken refresh failed
auth.oauth.successOAuth Login SuccessOAuth authentication completed successfully
auth.oauth.failedOAuth Login FailedOAuth authentication failed

Two-Factor Authentication events

Event keyLabelDescription
auth.2fa.challenge_issued2FA Challenge IssuedA 2FA challenge was sent to the user
auth.2fa.verify_success2FA Verification Success2FA code verified successfully
auth.2fa.verify_failed2FA Verification Failed2FA code verification failed

Settings events

Event keyLabelDescription
settings.save.successSettings SavedPlugin settings were saved by an admin

API Key events

Event keyLabelDescription
api_key.create.successAPI Key CreatedA new API key was created
api_key.create.failedAPI Key Create FailedAPI key creation failed
api_key.update.successAPI Key UpdatedAn API key was updated
api_key.update.failedAPI Key Update FailedAPI key update failed
api_key.revoke.successAPI Key RevokedAn API key was revoked
api_key.revoke.failedAPI Key Revoke FailedAPI key revocation failed
api_key.delete.successAPI Key DeletedAn API key was deleted
api_key.delete.failedAPI Key Delete FailedAPI key deletion failed
api_key.usedAPI Key UsedA request was authenticated using an API key

Retention Period

Set how many days to keep log entries. Entries older than this threshold are automatically purged by a scheduled WordPress cron job. The minimum value is 1 day.

Default: 90 days.

tip

For compliance use cases (GDPR, SOC 2, etc.), set the retention period to match your data-retention policy. For high-traffic sites, a shorter window keeps the database table from growing too large.


Viewing Log Entries

Audit Log entries

Go to Settings → Simple JWT Login → Audit Logs → Logs to view the stored entries.

Each entry records:

  • Event - the event key (e.g. auth.login.success)
  • User ID - the WordPress user involved (where applicable)
  • User Email - the email of the user involved
  • Status - success or failed
  • Details - additional context (e.g. changed setting keys)
  • IP Address - the client IP that triggered the event
  • Timestamp - when the event occurred

Logging Performance

Audit log writes are dispatched after the API response is sent to the client - they never block or delay the response your app receives.

The plugin uses PHP's fastcgi_finish_request() to flush the response first, then write the log entry in the same PHP process. If that function is unavailable (see table below), the log write happens synchronously before the response is returned. Database writes are fast, so this rarely causes noticeable latency.

Server environmentAsync logging
nginx + PHP-FPM (standard nginx setup)Yes - response flushed before log is written
Apache + PHP-FPM (mod_proxy_fcgi)Yes - response flushed before log is written
Apache + mod_phpNo - log write blocks the response
LiteSpeed / OpenLiteSpeedDepends on version - generally no

Use Cases

  • Security monitoring - track failed login attempts and unusual activity patterns
  • Compliance - demonstrate an audit trail for authentication events
  • Debugging - reproduce exact event sequences when troubleshooting user-reported issues
  • Change tracking - see exactly which settings were modified and when via settings.save.success