Managing users & activity

This page covers the day-to-day administration surfaces in the admin console: administrators, realm users, the audit trails (Activity, Events, Emails), and your own session management.

Administrators

The Users page (/users) lists the administrators of your organization — the people who can sign in to the admin console. Columns include Email, Verified, Passkey, Active Sessions, Last Login, and Created.

To add one, use the Add Admin User form (a single Email field). The account is created unverified and passwordless: the new admin proves ownership of the address by completing their first magic-link sign-in, exactly like any other SemAuth user. There is no password to set or send.

Realm users

Open a realm's Users page (/realms/{issuer_id}/users) to see its end users — Email, Verified, Passkey, Linked IDPs, Active Sessions, Last Login, Created, and Status. Most end users are created automatically the first time they sign in (via magic link or federation); you generally don't pre-create them.

Deactivate / reactivate

Deactivation is the administrator's kill switch. It cascades through the event log, so the effect is global and immediate, not eventually-consistent.

Audit trails

SemAuth is event-sourced — every meaningful action is an immutable event. Three views expose them:

ViewPathShows
Activity/activityOrganization-level events: realm/app/client config changes, signups, admin logins. Includes actor, IP, user agent, and correlation IDs.
Events/realms/{issuer_id}/eventsPer-realm user activity: sign-ins, sessions, grants, refresh-token families, magic links, passkeys. Filterable to a single user.
Emails/emailsEvery email SemAuth sent for your org (To, From, Subject, Provider, timestamp). Useful to confirm a magic link actually went out.

The split is deliberate: Activity answers "what changed in my configuration and who changed it", while a realm's Events answers "what did my users do". Sensitive values (like the live magic-link token) are redacted in the stored copies.

Your own sessions

The Account → Sessions page (/account/sessions) lets you, the signed-in administrator, review your active admin-console sessions (device, IP, created, last seen) and revoke any that aren't the current one. A "Recent activity" section lists sessions ended in the last 30 days with the reason (logged out, revoked, expired). To end your current session, use logout. You can also manage your own passkeys from /account/passkeys.

Where each task lives

I want to…Go to
Add another administrator/users → Add Admin User
Off-board an end user immediatelyRealm → Users → Deactivate
See who changed a client's config/activity
Investigate a user's sign-insRealm → Events (filter by user)
Confirm an email was delivered/emails
Sign out a lost laptop/account/sessions → Revoke