Identity events -- the audit log
Every identity transition in your workspace is recorded as an immutable row in the Identity events audit log. This is the evidentiary record an auditor will ask for and the troubleshooting surface you use when a verification flow goes wrong.
Open Settings — Workspaces — (your workspace) — Identity events to view it. The page is voice-channel-only until cross-channel verification ships; email and chat events appear there once the cross-channel implementation lands.
Reading the table
Section titled “Reading the table”Each row has:
- Timestamp — when the event fired, to the second.
- Event — the event type (see below).
- Contact — the contact id the event is bound to, when known. Truncated for readability; click to expand.
- Conversation — the conversation the event belongs to; click to open the conversation detail page.
- Prompt v — the version of the verification agent’s system prompt at the time of the event. Useful when investigating differences in behaviour across deployments.
Clicking any row expands the full JSON payload of the event for deep investigation.
Event types
Section titled “Event types”| Event | What it means |
|---|---|
| Factor added | A successful identification factor was minted (KBV pass, magic-link click). |
| Factor failed | A verification attempt produced an incorrect answer or a tampered token. |
| KBV question asked | The verification specialist asked the caller a question from a lookup tool. |
| KBV question passed | The caller answered the question correctly. |
| KBV question failed | The caller’s answer didn’t match. |
| Identity locked (per-call) | The per-call wrong-answer cap was hit; the verification specialist gave up for this call. |
| Identity locked (24h) | The per-identity 24-hour failure cap was hit; the contact is locked out across calls until the lockout duration elapses. |
| ANI blocked | A single caller-ID has attempted verification under too many different identities; further attempts from that number are blocked. |
| Assurance level reached | The caller’s combined factors brought them to identified or high-assurance. |
| Verification not configured | A tool gate fired but the workspace has no lookup tools attached, so the verification specialist couldn’t run. |
| Verification-agent context used | The verification specialist read a lookup tool under the platform-internal bypass; the bypass binds to this specific contact + tool. |
| Scope set | The caller’s permitted account list was set or changed during the conversation. |
| Risk signal raised | An automated signal (synthetic voice, replay attack, mismatched caller ID) was raised against this conversation. |
Filtering and searching
Section titled “Filtering and searching”The top of the page has a filter bar:
- Event type — restrict to one of the types above.
- Contact — show events for a specific contact id.
- From / To — restrict to a time range.
If you’re investigating a specific caller’s experience, the fastest path is to open the conversation directly, click into a turn, and review the Identity events section on the right-hand Inspect panel. Workspace-level filtering is for cross-conversation analysis like “How many lockouts did we see last week?”
Retention
Section titled “Retention”Identity events are retained for the period set in Settings — Workspaces — (your workspace) — Identity & Verification — Data retention (default 24 months). A nightly retention sweep deletes rows older than the cutoff.
For data-subject right-to-erasure requests under GDPR Art. 17, contact your platform administrator; the operational runbook is at docs/identity/12-retention-and-erasure.md.