Activity logging for tenant projects is disabled by default. You can enable
activity logging for tenant projects, using the REST API, by executing the following command:
SelectIdentity Toolkit ProjectorIdentity Toolkit Tenantfrom the
resources dropdown. If you're usingmulti-tenancy,
you can show all tenants, or filter to a specific one.
Logged operations
The follow table lists the API operations that can produce activity logs:
Logging gives you tools to disable log ingestion or exclude log
entries you don't want. For more information about how to exclude certain logs,
seeLogs Exclusions.
The following example shows how to exclude logs for the read-onlyGetAccountInfo()andGetProjectConfig()methods:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eActivity logging, which tracks user requests like registration and sign-in, is disabled by default and can be enabled via the Google Cloud console or REST API.\u003c/p\u003e\n"],["\u003cp\u003eEnabling activity logging for both main and tenant projects is possible, but it can impact billing, so consulting Google Cloud Observability pricing is recommended.\u003c/p\u003e\n"],["\u003cp\u003eActivity logs can be viewed through the Logs Explorer in the Google Cloud console by selecting either "Identity Toolkit Project" or "Identity Toolkit Tenant" in the resource dropdown.\u003c/p\u003e\n"],["\u003cp\u003eEach log entry includes details such as the log name, resource, service name, and the logged request or response (\u003ccode\u003eprotoPayload\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eCertain log entries can be excluded from ingestion, for example, logs for the read-only methods \u003ccode\u003eGetAccountInfo()\u003c/code\u003e and \u003ccode\u003eGetProjectConfig()\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Activity logging\n================\n\nThis document describes how to use Cloud Logging for activity logging with\nIdentity Platform.\n| **Note:** *Activity logging* refers to requests made by your app's users, such as registration or sign-in requests. To log requests made by administrators, see [Audit logging](/identity-platform/docs/audit-logging).\n\nEnabling activity logging\n-------------------------\n\nActivity logging is disabled by default. You can enable activity logging\nthrough the Google Cloud console or by using the REST API: \n\n### Console\n\n1. Go to the **Settings** page in the Google Cloud console. \n\n [Go to Settings](https://console.cloud.google.com/customer-identity/settings) \n\n2. Under **User activity logging** , select **Enable**.\n\n3. Click **Save**.\n\n### REST\n\n```bash\ncurl -d \"{'monitoring':{'requestLogging':{'enabled':true}}}\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -X PATCH -H 'Content-Type: application/json' \\\n https://identitytoolkit.googleapis.com/admin/v2/projects/PROJECT_ID/config?updateMask=monitoring.requestLogging.enabled\n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID.\n\nEnabling activity logging can affect your billing. See\n[Google Cloud Observability pricing](/stackdriver/pricing) to learn more.\n\nEnabling activity logging for tenant projects\n---------------------------------------------\n\nActivity logging for tenant projects is disabled by default. You can enable\nactivity logging for tenant projects, using the REST API, by executing the following command: \n\n```bash\ncurl -d \"{'monitoring':{'requestLogging':{'enabled':true}}}\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -X PATCH -H 'Content-Type: application/json' \\\n https://identitytoolkit.googleapis.com/v2/projects/PROJECT_ID/tenants/TENANT_ID?updateMask=monitoring.requestLogging.enabled\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID.\n- \u003cvar translate=\"no\"\u003eTENANT_ID\u003c/var\u003e: the tenant ID.\n\nEnabling activity logging can affect your billing. See\n[Pricing for Google Cloud Observability](/stackdriver/pricing) to learn more.\n\nViewing activity logs\n---------------------\n\nWhen Logging is enabled, a log entry is generated for each\nuser request. Each log entry includes the following fields:\n\nYou can see your project or tenant's activity logs using the\n[Logs Explorer](/logging/docs/view/logs-explorer-interface). To view logs:\n\n1. In the Google Cloud console, go to the **Logs Explorer** page.\n\n [Go to the Logs Explorer page](https://console.cloud.google.com/logs)\n2. Select **Identity Toolkit Project** or **Identity Toolkit Tenant** from the\n resources dropdown. If you're using [multi-tenancy](/identity-platform/docs/multi-tenancy),\n you can show all tenants, or filter to a specific one.\n\nLogged operations\n-----------------\n\nThe follow table lists the API operations that can produce activity logs:\n\n### Excluding operations\n\nLogging gives you tools to disable log ingestion or exclude log\nentries you don't want. For more information about how to exclude certain logs,\nsee [Logs Exclusions](/logging/docs/exclusions).\n\nThe following example shows how to exclude logs for the read-only\n`GetAccountInfo()` and `GetProjectConfig()` methods: \n\n resource.type=\"identitytoolkit_project\"\n (\n jsonPayload.methodName=\"google.cloud.identitytoolkit.v1.AccountManagementService.GetAccountInfo\"\n OR\n jsonPayload.methodName=\"google.cloud.identitytoolkit.v1.ProjectConfigService.GetProjectConfig\"\n )"]]
