> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.
> Stream Auth0 metrics to monitoring platforms like Datadog, New Relic, and Splunk for real-time observability.
# Metric Streams
# Metric Streams (Beta)
Metric Streams is currently available in Beta. To use this feature, you must have an Enterprise plan. By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal). To learn more about Auth0's product release cycle, read [Product Release Stages](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages).
Stream real-time Auth0 metrics to your monitoring platform to track API performance, identify rate limit issues, and troubleshoot errors faster. Metric Streams support both native Datadog integration and OpenTelemetry Protocol (OTLP) for platforms like New Relic and Splunk.
## What you can monitor
Track key metrics about your Auth0 API usage:
* **API request volume**: Monitor total requests to Authentication and Management APIs.
* **Error rates**: Identify client and server errors affecting your integration.
* **Rate limit occurrences**: Detect when your application hits rate limits.
* **Geographic distribution**: Analyze traffic patterns by country.
* **Authentication flows**: Track grant types and connection usage.
## Use cases
### Identify rate limit issues
Monitor which APIs and endpoints are hitting rate limits so you can adjust your integration or upgrade your rate limit tier.
### Troubleshoot API failures
Quickly identify the root cause of errors by filtering metrics by API, operation, and failure type (rate limits, anomaly detection, or general errors).
### Plan capacity
Analyze peak usage, average RPS, and percentile metrics to determine the appropriate rate limit tier for your workload.
## Prerequisites
Before setting up a metric stream, you need:
* **Auth0 Management API access**: Create a Machine-to-Machine (M2M) application with the following permissions:
* `read:event_streams`
* `create:event_streams`
* `update:event_streams`
* `delete:event_streams`
* `read:event_deliveries`
* `update:event_deliveries`
For detailed instructions, read [Get Management API Access Tokens](docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production).
* **Auth0 CLI**: Install the [Auth0 CLI](https://auth0.github.io/auth0-cli/) to configure metric streams via API commands.
* **Monitoring platform account**: An active account with one of the [supported destinations](#supported-destinations).
## Metric reference
### auth0.api\_request.count
Counts API requests to your Auth0 tenant with detailed filtering and aggregation tags. A new metric is emitted every 10 seconds and provides per second granularity.
#### Available tags
| Tag Name | Required | Description |
| ------------------ | -------- | ----------------------------------------------------------------------------------------------------- |
| `api` | Yes | API type: `AUTHENTICATION` or `MANAGEMENT` |
| `operation_name` | Yes | HTTP method and path (e.g., `POST /oauth/token`) |
| `operation_result` | Yes | Result: `SUCCESS` or `FAILURE` |
| `tenant` | Yes | Your Auth0 tenant name |
| `failure_code` | No | Failure reason: `RATE_LIMIT`, `ANOMALY_DETECTION`, or `CLIENT_SERVER_ERROR` |
| `country_code` | No | ISO country code from request IP address |
| `client_id` | No | Application Client ID (Authentication API only) |
| `connection_id` | No | Connection ID (Authentication API only) |
| `grant_type` | No | OAuth 2.0 grant type (Authentication API only) |
| `batch_seq` | Yes | Sequence number for metrics with identical tags and timestamp (temporary, will be removed after Beta) |
The `client_id` and `connection_id` tags can generate high cardinality in environments with many unique clients or connections, potentially increasing monitoring costs. Use these tags selectively.
Metric streams do not include API calls that are cached or blocked by Auth0's Web Application Firewall (WAF) at the edge to prevent system overload.
#### Enum values
**api**
* `AUTHENTICATION` - Authentication API requests
* `MANAGEMENT` - Management API requests
**operation\_result**
* `SUCCESS` - Request completed successfully
* `FAILURE` - Request failed with client or server error
**failure\_code** (only present when `operation_result` is `FAILURE`)
* `RATE_LIMIT` - Request exceeded rate limit
* `ANOMALY_DETECTION` - Blocked by Auth0's attack protection
* `CLIENT_SERVER_ERROR` - HTTP 4xx or 5xx error
## Supported destinations
Metric Streams support the following monitoring platforms:
Native integration with Datadog's metrics API
Stream via OpenTelemetry Protocol (OTLP)
Stream via OpenTelemetry Protocol (OTLP)
## Set up Datadog
Stream Auth0 metrics directly to Datadog using their native metrics API.
### Prerequisites
* Active [Datadog account](https://www.datadoghq.com/)
* Datadog API key (generate at **Organization Settings > API Keys** in Datadog)
* Your Datadog site (region identifier like `US1` for app.datadoghq.com, `EU` for app.datadoghq.eu, `US3` for us3.datadoghq.com)
### Create metric stream
**Navigate to Metric Streams:**
1. Go to [Auth0 Dashboard](https://manage.auth0.com) > **Monitoring** > **Metric Streams**.
2. Select **+ Create Metric Stream**.
3. Select **Datadog**.
**Configure stream:**
1. **Name**: Enter a descriptive name (e.g., `datadog-production`).
2. **Datadog Site**: Select your Datadog region from the dropdown:
* `US1` for app.datadoghq.com
* `US3` for us3.datadoghq.com
* `US5` for us5.datadoghq.com
* `EU` for app.datadoghq.eu
* `AP1` for ap1.datadoghq.com
3. **Datadog API Key**: Paste your Datadog API key.
4. Select **Save**.
This creates and automatically enables your Metric Stream.
Use the Auth0 CLI to create a Datadog metric stream:
```bash theme={null}
auth0 api post metric-streams \
--data '{
"name": "datadog-production",
"subscriptions": [{ "metric_type": "auth0.api_request.count" }],
"destination": {
"type": "datadog",
"configuration": {
"api_key": "YOUR_DATADOG_API_KEY",
"site": "app.datadoghq.com"
}
}
}'
```
**Response:**
```json theme={null}
{
"id": "mst_abc123xyz",
"status": "enabled",
"name": "datadog-production",
"created_at": "2024-02-12T10:30:00Z",
"updated_at": "2024-02-12T10:30:00Z",
"destination": {
"type": "datadog",
"configuration": {
"api_key": "***",
"site": "app.datadoghq.com"
}
}
}
```
Save the `id` value to manage this stream later.
### Verify in Datadog
Within a few minutes, Auth0 metrics appear in Datadog. Navigate to **Metrics > Explorer** and search for `auth0.api_request.count` to view your data.
### Manage streams
**View all streams:**
1. Go to [Auth0 Dashboard](https://manage.auth0.com) > **Monitoring** > **Metric Streams**.
2. All configured streams are listed with their Destination, Status, Name, and Subscriptions.
**Edit a stream:**
1. Select the stream name from the list.
2. Update the configuration.
3. Select **Save**.
**Enable/Disable a stream:**
1. Choose the **Toggle switch** in the Status column to enable or disable the stream.
2. Disabled streams stop sending metrics but retain their configuration.
**Delete a stream:**
1. Select the stream name from the list.
2. Select **Delete** at the bottom of the configuration page.
3. Confirm deletion.
**List all streams:**
```bash theme={null}
auth0 api get /api/v2/metric-streams
```
**Disable a stream:**
```bash theme={null}
auth0 api patch /api/v2/metric-streams/YOUR_STREAM_ID \
--data '{"status":"disabled"}'
```
**Re-enable a stream:**
```bash theme={null}
auth0 api patch /api/v2/metric-streams/YOUR_STREAM_ID \
--data '{"status":"enabled"}'
```
## Set up New Relic
Stream Auth0 metrics to New Relic using OpenTelemetry Protocol (OTLP).
### Get New Relic credentials
Refer to [New Relic's OTLP documentation](https://docs.newrelic.com/docs/opentelemetry/best-practices/opentelemetry-otlp/#configure-endpoint-port-protocol) to find your region-specific endpoint:
* **US:** `https://otlp.nr-data.net`
* **EU:** `https://otlp.eu01.nr-data.net`
Save this endpoint URL.
1. Go to **\[your user menu]** > **API Keys**.
2. Select **Create a key**.
3. Select **Key Type** = **Ingest - License**.
4. Enter a descriptive name and optional note.
5. Select **Create a key**.
6. Copy the API key immediately. You need it for later steps and it won't be shown again.
### Create metric stream
**Navigate to Metric Streams:**
1. Go to [Auth0 Dashboard](https://manage.auth0.com) > **Monitoring** > **Metric Streams**.
2. Select **+ Create Metric Stream**.
3. Select **OpenTelemetry**.
**Configure stream:**
1. **Name**: Enter a descriptive name (e.g., `newrelic-production`).
2. **Protocol**: Select **HTTP** from the dropdown.
3. **OTLP Endpoint**: Paste your New Relic OTLP endpoint (e.g., `https://otlp.nr-data.net`).
4. **Authentication Method**: Select **API Key** from the dropdown.
5. **Header Name**: Enter `api-key`.
6. **API Key**: Paste your New Relic Ingest License Key that you copied from previous steps.
7. Select **Save**.
This creates and automatically enables your Metric Stream.
```bash theme={null}
auth0 api post metric-streams \
--data '{
"name": "newrelic-production",
"subscriptions": [{ "metric_type": "metrics_bridge.api_request" }],
"destination": {
"type": "otlp",
"configuration": {
"endpoint": "YOUR_NEW_RELIC_ENDPOINT",
"protocol": "http",
"auth_type": "api_key",
"api_key": "YOUR_INGEST_LICENSE_KEY",
"auth_header_name": "api-key"
}
}
}'
```
## Set up Splunk
Stream Auth0 metrics to Splunk Observability Cloud using OpenTelemetry Protocol (OTLP).
### Get Splunk credentials
Refer to [Splunk's OTLP HTTP Exporter documentation](https://help.splunk.com/en/splunk-observability-cloud/manage-data/splunk-distribution-of-the-opentelemetry-collector/get-started-with-the-splunk-distribution-of-the-opentelemetry-collector/collector-components/exporters/otlphttp-exporter) to find your endpoint.
The endpoint format is:
```
https://ingest..signalfx.com/v2/datapoint/otlp
```
Replace `` with your Splunk realm (e.g., `us1`, `eu0`, `jp0`).
1. Navigate to **Settings** > **Access Tokens** > **New Token**.
2. Enter a descriptive name.
3. Set **Authorization Scope** to **INGEST** (required).
4. Set token expiration.
5. Select **Create**.
6. Copy and securely store the token value. You need this value for later steps.
### Create metric stream
**Navigate to Metric Streams:**
1. Go to [Auth0 Dashboard](https://manage.auth0.com) > **Monitoring** > **Metric Streams**.
2. Select **+ Create Metric Stream**.
3. Select **OpenTelemetry**.
**Configure stream:**
1. **Name**: Enter a descriptive name (e.g., `splunk-production`).
2. **Protocol**: Select **HTTP** from the dropdown.
3. **OTLP Endpoint**: Paste your Splunk OTLP endpoint (e.g., `https://ingest.us1.signalfx.com/v2/datapoint/otlp`).
4. **Authentication Method**: Select **API Key** from the dropdown.
5. **Header Name**: Enter `X-SF-TOKEN`.
6. **API Key**: Paste your Splunk access token (from Step 2 above).
7. Select **Save**.
The metric stream is created and automatically enabled.
```bash theme={null}
auth0 api post metric-streams \
--data '{
"name": "splunk-production",
"subscriptions": [{ "metric_type": "metrics_bridge.api_request" }],
"destination": {
"type": "otlp",
"configuration": {
"endpoint": "YOUR_SPLUNK_ENDPOINT",
"protocol": "http",
"auth_type": "api_key",
"api_key": "YOUR_SPLUNK_ACCESS_TOKEN",
"auth_header_name": "X-SF-TOKEN"
}
}
}'
```
## Understand metric cardinality
Cardinality refers to the number of unique time series generated by your metrics. Higher cardinality increases monitoring costs.
| Tag | Cardinality | Impact |
| ------------------ | ----------- | -------------------------------------------- |
| `api` | Low | 2 unique values (Authentication, Management) |
| `operation_name` | Medium | Varies by API operations used |
| `operation_result` | Low | 2 unique values (Success, Failure) |
| `tenant` | Medium | 1 per Auth0 tenant |
| `failure_code` | Low | 3 unique values (only on failures) |
| `country_code` | Medium-High | Varies by geographic distribution |
| `client_id` | **High** | 1 per application client |
| `connection_id` | **High** | 1 per identity provider connection |
| `grant_type` | Low | Limited OAuth 2.0 grant types |
| `batch_seq` | Low | Temporary tag (removed after Beta) |
Use `client_id` and `connection_id` tags carefully. In environments with many applications or connections, these tags can significantly increase costs. Consider filtering to specific clients or aggregating these tags if detailed granularity isn't required.
## Troubleshooting
### Metrics not appearing
**Check stream status:**
1. Go to [Auth0 Dashboard](https://manage.auth0.com) > **Monitoring** > **Metric Streams**.
2. Find your metric stream in the list.
3. Verify the **Status** column shows **Enabled**.
4. Select the stream name to view detailed configuration and verify settings.
```bash theme={null}
auth0 api get /api/v2/metric-streams/YOUR_STREAM_ID
```
Verify the `status` field is `enabled`.
**Verify destination credentials:**
* **Datadog**: Confirm your API key is valid and the site URL matches your Datadog region
* **OTLP destinations**: Verify endpoint URL, authentication token, and header name are correct
**Check for edge caching:**
Remember that cached requests and WAF-blocked requests are not included in metric streams.
### High monitoring costs
If you're seeing unexpectedly high costs:
1. Review which tags you're using in queries and dashboards.
2. Consider removing `client_id` and `connection_id` from aggregations.
3. Use sampling or filtering in your monitoring platform to reduce ingested metrics.
4. Aggregate by higher-level tags like `api` and `operation_result` instead of granular tags.