Skip to content

role_changed

This page is auto-generated from src/auth/stytch-invite.ts. Do not edit by hand — see docs/dev/docs-auto-sync.md.

role_changed

FunctionSource
encodeRoleChangedAuditReasonsrc/auth/stytch-invite.ts:101
FieldTypeRequiredNotes
target_member_idstringyes
target_stytch_member_idstringyes
from"admin" | "member" | "viewer"yes
to"admin" | "member" | "viewer"yes
by_user_idstringyes

#423 / #398c — emitted by PATCH /api/v1/admin/orgs/:slug/members/:id/role. from and to are the Upwarden Role enum values; target_member_id is the tenant_members row id whose role is changing, target_stytch_member_id is the cached Stytch id on that row (lets a SIEM correlate without joining back to the directory). by_user_id is the principal authorising the change. The route layer rejects from=owner / to=owner — those transitions are the transfer-ownership endpoint’s job and emit a different envelope.

This envelope is stored in audit_log.decision_reason (varchar(256)) as a JSON object with the shape { event, ...ctx }. The audit_log row carries tenant_id, actor_user_id, and timestamp as columns alongside — those are not duplicated in the envelope.