OAuth tokens
Events emitted when OAuth tokens are issued or revoked in a Qlik Cloud tenant. These events enable tracking of token issuance and revocation for security and auditing.
These events are available for consumption via:
Published when an OAuth token is issued.
Payload
object- idstringRequired
Identifies the event.
- timestring
Timestamp of when the occurrence happened. Must adhere to RFC 3339.
- typestringRequired
The type of event.
- sourcestringRequired
Identifies the context in which an event happened.
- specversionstringRequired
The version of the CloudEvents specification which the event uses.
- datacontenttypestring
Content type of the data value. Must adhere to RFC 2046 format.
- useridstring
Unique identifier for the user triggering the event.
- authtypestring
The type of principal that triggered the occurrence.
- originipstring
Origin IP address.
- tenantidstringRequired
Unique identifier for the tenant related to the event.
- sessionidstring
Unique identifier for the session related to the event.
- authclaimsstring
A JSON string representing claims of the principal that triggered the event
- dataobjectRequired
Data specific to the oauth token issued event.
data properties
- idstring
Identifier of the newly issued token.
- scopesarray
The list of scopes granted to the token
- appTypestring
The app type of the client that the token was issued to
- ownerIdstring
Identifier of the OAuth client.
- issuedAtstring
Timestamp when the token was issued.
- tenantIdstring
Identifier of the tenant the token belongs to.
- createdBystring
Identifier of the OAuth client who created the token.
- grantTypestring
The grant type that was used to generate the token
Can be one of: "authorization_code""refresh_token""client_credentials""urn:ietf:params:oauth:grant-type:token-exchange""urn:qlik:oauth:user-impersonation""urn:qlik:oauth:anonymous-embed"
- deviceTypestring
The device manufacturer and model
- descriptionstring
A description of the token
- resourceOwnerstring
Identifier of the user the token was issued for.
- issuedToClientIdstring
Identifier of the client the token was issued to.
-
com.qlik.oauth-token.issued
Example payload of the "OAuth token issued" event
{ "id": "A234-1234-1234", "time": "2026-01-01T12:00:00Z", "type": "com.qlik.oauth-token.issued", "source": "com.qlik/my-service", "specversion": "1.0", "datacontenttype": "application/json", "userid": "605a18af2ab08cdbfad09259", "authtype": "service_account", "originip": "0.0.0.0", "tenantid": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69", "sessionid": "WZhiEfgW2bLd7HgR-jjzAh6VnicipweT", "authclaims": "{\\\"iss\\\":\\\"qlik.api.internal/service\\\",\\\"sub\\\":\\\"service\\\",\\\"subType\\\":\\\"service\\\"}", "data": { "id": "601abc3fe95f07dbb73ce50f", "scopes": [ "user_default" ], "ownerId": "LkedCLXCtzdMdZJayyw8LzASxcL9jLTB", "issuedAt": "2025-10-30T07:06:22Z", "tenantId": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69", "createdBy": "sEkC_KKE4RYwBzoeqQ4-TEp982A0gNnA", "deviceType": "Dell XPS 15", "description": "John's PC", "resourceOwner": "LkedCLXCtzdMdZJayyw8LzASxcL9jLTB", "issuedToClientId": "3e7651d5-98d9-467c-be0b-09623e6aa551" }}Published when OAuth tokens are revoked.
Payload
object- idstringRequired
Identifies the event.
- timestring
Timestamp of when the occurrence happened. Must adhere to RFC 3339.
- typestringRequired
The type of event.
- sourcestringRequired
Identifies the context in which an event happened.
- specversionstringRequired
The version of the CloudEvents specification which the event uses.
- datacontenttypestring
Content type of the data value. Must adhere to RFC 2046 format.
- useridstring
Unique identifier for the user triggering the event.
- authtypestring
The type of principal that triggered the occurrence.
- originipstring
Origin IP address.
- tenantidstringRequired
Unique identifier for the tenant related to the event.
- sessionidstring
Unique identifier for the session related to the event.
- authclaimsstring
A JSON string representing claims of the principal that triggered the event
- dataobjectRequired
Data specific to the oauth token revoked event.
data properties
- revokedAtstringRequired
Timestamp when the token(s) were revoked.
- revokedBystring
Identifier of the user who revoked the token(s).
- revokedContextobjectRequired
Context indicating the scope of the tokens that have been revoked (individual token or many tokens). The revoked tokens are the intersection of the context properties. For example, if both
userIdandclientIdare provided, only tokens belonging to that user issued from that client are revoked (and not tokens from other users or from other clients).revokedContext properties
- userIdstring
If provided, revoked tokens are limited to this user.
- grantIdstring
Unique identifier of the token. If provided, only this specific token has been revoked.
- clientIdstring
If provided, revoked tokens are limited to this OAuth client.
- tenantIdstring
If provided, revoked tokens are limited to this tenant.
-
- revokedByBearerbooleanRequired
Whether the token was revoked using either the token or refresh token, false when the token is revoked via the REST API.
-
com.qlik.oauth-token.revoked
Example payload of the "OAuth token revoked" event
{ "id": "A234-1234-1234", "time": "2026-01-01T12:00:00Z", "type": "com.qlik.oauth-token.revoked", "source": "com.qlik/my-service", "specversion": "1.0", "datacontenttype": "application/json", "userid": "605a18af2ab08cdbfad09259", "authtype": "service_account", "originip": "0.0.0.0", "tenantid": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69", "sessionid": "WZhiEfgW2bLd7HgR-jjzAh6VnicipweT", "authclaims": "{\\\"iss\\\":\\\"qlik.api.internal/service\\\",\\\"sub\\\":\\\"service\\\",\\\"subType\\\":\\\"service\\\"}", "data": { "revokedAt": "2025-10-30T07:06:22Z", "revokedBy": "sEkC_KKE4RYwBzoeqQ4-TEp982A0gNnA", "revokedContext": { "userId": "605a18af2ab08cdbfad09259", "grantId": "601abc3fe95f07dbb73ce50f", "clientId": "630201422597f43c47128aa651af2172", "tenantId": "TiQ8GPVr8qI714Lp5ChAAFFaU24MJy69" }, "revokedByBearer": true }}