Skip to content

Reporting & Analytics

Identity is a goldmine of security and product signal. Keycloak emits rich events; we capture, store, and surface them — the analytics layer is a first-class part of the platform, not a bolt-on.

Keycloak (Event Listener SPI) ──▶ durable queue ──▶ ClickHouse ──▶ dashboards / exports / metering
  • Event Listener SPI — Keycloak’s native extension point emits user events (login, logout, register, MFA, failures, token refresh) and admin events (config changes) with no polling.
  • Durable queue — decouples Keycloak from analytics so a spike or outage never backs up the auth hot path.
  • ClickHouse — a columnar store built for high-cardinality event analytics at scale.

Login & usage dashboards

Logins, unique users, success/failure rates, MFA adoption, IdP mix, geography, and trends over time.

Security analytics

Brute-force and credential-stuffing patterns, impossible-travel and anomaly signals, admin-change audit trails.

Audit-ready exports

Immutable event history for SOC 2 / access reviews — the reports Auth0 charges $20K+/yr for, included.

BI exports

Stream or export to Snowflake / BigQuery to join identity data with the rest of your warehouse.

The same event stream powers metering. We count Monthly Active Users — a unique user who authenticates at least once in a calendar month; token refreshes and introspections don’t add MAUs — and feed it to billing (Stripe).

  • Event retention is configurable per plan; raw events age out on a lifecycle policy.
  • Analytics run on your tenant’s data; no cross-tenant mixing.
  • IP handling follows your compliance posture (full, anonymized, or geo-only).