role_changed
This page is auto-generated from
src/auth/stytch-invite.ts. Do not edit by hand — seedocs/dev/docs-auto-sync.md.
Event string
Section titled “Event string”role_changed
Emitting helpers
Section titled “Emitting helpers”| Function | Source |
|---|---|
encodeRoleChangedAuditReason | src/auth/stytch-invite.ts:101 |
Context fields
Section titled “Context fields”| Field | Type | Required | Notes |
|---|---|---|---|
target_member_id | string | yes | — |
target_stytch_member_id | string | yes | — |
from | "admin" | "member" | "viewer" | yes | — |
to | "admin" | "member" | "viewer" | yes | — |
by_user_id | string | yes | — |
Documentation
Section titled “Documentation”#423 / #398c — emitted by PATCH /api/v1/admin/orgs/:slug/members/:id/role. from and to are the Upwarden Role enum values; target_member_id is the tenant_members row id whose role is changing, target_stytch_member_id is the cached Stytch id on that row (lets a SIEM correlate without joining back to the directory). by_user_id is the principal authorising the change. The route layer rejects from=owner / to=owner — those transitions are the transfer-ownership endpoint’s job and emit a different envelope.
This envelope is stored in audit_log.decision_reason (varchar(256)) as a JSON object with the shape { event, ...ctx }. The audit_log row carries tenant_id, actor_user_id, and timestamp as columns alongside — those are not duplicated in the envelope.