Use case

Logins, password resets, MFA changes, session revocations, all in one trail

Log authentication events with actor, IP, user agent and outcome. Detect credential stuffing, replay suspicious sessions, and prove to enterprise customers that security matters to you.

Start logging for freeSee the events reference
The problem

Authentication libraries log to stdout. Your sessions table has a couple of booleans. When a user asks 'did someone else log into my account last Tuesday?', you have nothing good to show them. When you want to detect credential stuffing, there is no timeline to aggregate over. When an enterprise customer asks for a security event export, you have nothing to export.

The Recalled way

Emit an event on every auth-related action: `user.login.success`, `user.login.failed`, `user.password.changed`, `user.password.reset`, `user.mfa.enabled`, `user.session.revoked`. Include the IP, user agent and outcome. Recalled's dashboard lets you filter by `user.login.failed` across all actors to spot brute-force patterns, or by a single actor to answer one user's question.

Inside your auth handler
await recalled.events.create({
  action: "user.login.failed",
  actor: { id: user?.id ?? null, email: attempt.email },
  organization: user?.orgId,
  metadata: { reason: "invalid_password", ip: req.ip, userAgent },
});

Why security teams pick Recalled

  • Outcome on every attempt

    Success or failure is part of the action name, so filtering 'all failed logins last 24h' is one query.

  • Actor + IP model

    Even failed logins that never found a user get an IP and a user agent. Aggregate to spot distributed attacks.

  • Retention per action prefix

    Keep `user.login.*` for a year, expire `user.password.reset` after 90 days. Available on Pro and Scale.

  • Exportable to your SIEM

    CSV or JSON export on demand. Push into Splunk, Datadog, or whatever your security team lives in.

Related use cases

Reconstruct any user's timeline

Query every event by actor id to rebuild a minute-by-minute timeline of what a user did. Perfect for support investigations, bug reports, and replaying the context of a complaint.

Audit every admin action

Log every sensitive action taken by a staff member from your back-office: suspensions, refunds, impersonations, role changes. Answer 'who did this and when' before anyone has to ask.

Your next audit log is 2 minutes away

Stop hacking on your own logs table. Drop in Recalled, send your first event, move on.

Start for freeRead the docs