Collected Metrics
Overview
We college usage data from FusionAuth deployments to improve our product. This data helps us understand how you’re using FusionAuth so that we can give you better features, tightened security, and tailored experiences.
FusionAuth collects high level metrics for all instances.
Collected metrics of this payload include:
- a unique instance identifier
- the total number of users
- the total number of monthly active users
- the total number of monthly logins
- the number of nodes in the instance
- the product version
- the license Id (only for licensed instances with a plan)
- the version of the metrics data (currently always version 1)
A self-hosted community user can disable network egress or block access to the metrics endpoint without affecting functionality.
Customers on a paid plan must allow a metrics connection per the license agreement, unless they have an air-gapped license.
Detailed Metrics
Available since 1.55.0
As of version 1.55.0, we collect additional usage data.
We’re committed to being up front about the data that we collect and how we use it, hence this document.
Here’s a sample JSON object showing what we collect (click to expand):
Usage Stats - Example JSON Payload
{
"applicationVersion": "1.55.0",
"collectionDuration": 523,
"collectionInstant": 1720629226097,
"instanceId": "eb76363d-8ee3-4188-8bae-ceed191a4780",
"stats": {
"applicationAccessTokenPopulateLambda": 80,
"applicationActiveLoggedIntoNumber": 100,
"applicationActiveNumber": 101,
"applicationActiveRoleNumber": 200,
"applicationActsAsSamlv2Idp": 40,
"applicationAdvancedSelfServiceRegistrationEnabled": 40,
"applicationBasicSelfServiceRegistrationEnabled": 40,
"applicationCustomSelfServiceAccountForm": 23,
"applicationCustomThemeUsed": 12,
"applicationEmailUpdateTemplate": 30,
"applicationEmailVerificationTemplate": 30,
"applicationEmailVerifiedTemplate": 30,
"applicationEnabledIdentityProviders": [
{
"count": 20,
"idp": "Apple"
},
{
"count": 20,
"idp": "EpicGames"
},
{
"count": 20,
"idp": "ExternalJWT"
},
{
"count": 20,
"idp": "Facebook"
},
{
"count": 20,
"idp": "Google"
},
{
"count": 20,
"idp": "HYPR"
},
{
"count": 80,
"idp": "OpenIDConnect"
},
{
"count": 100,
"idp": "SAMLv2"
},
{
"count": 120,
"idp": "SAMLv2IdPInitiated"
},
{
"count": 20,
"idp": "SonyPSN"
},
{
"count": 20,
"idp": "Steam"
},
{
"count": 20,
"idp": "Twitch"
},
{
"count": 20,
"idp": "Twitter"
},
{
"count": 20,
"idp": "Xbox"
}
],
"applicationEnabledIdentityProvidersWithLambdas": 260,
"applicationForgotPasswordTemplate": 30,
"applicationIdTokenPopulateLambda": 80,
"applicationLoggedInApplicationsUsingSimpleThemes": 3,
"applicationLoginApiAuthenticationDisabled": 4,
"applicationLoginApiRefreshTokensEnabled": 5,
"applicationLoginIdInUseOnCreateTemplate": 30,
"applicationLoginIdInUseOnUpdateTemplate": 30,
"applicationLoginNewDevice": 30,
"applicationLoginSuspiciousEmailTemplate": 30,
"applicationMagicLinks": 6,
"applicationMfaPolicy": 7,
"applicationMultiFactorEmailMessageTemplate": 30,
"applicationMultiFactorSmsMessageTemplate": 25,
"applicationNumber": 101,
"applicationOptionalScopes": 9,
"applicationPasswordResetSuccessTemplate": 30,
"applicationPasswordUpdateTemplate": 30,
"applicationPasswordlessTemplate": 30,
"applicationRequiredScopes": 18,
"applicationSamlv2PopulateLambda": 80,
"applicationSelfServiceRegistrationValidationLambda": 80,
"applicationSetPasswordTemplate": 30,
"applicationThirdParty": 8,
"applicationTwoFactorMethodAddTemplate": 30,
"applicationTwoFactorMethodRemoveTemplate": 30,
"applicationUserinfoPopulateLambda": 80,
"applicationVerificationTemplate": 30,
"atdCaptcha": 5,
"atdIpAcls": 10,
"atdRateLimiting": 6,
"entitiesEntityGrants": 40,
"entitiesPermissions": 12,
"entitiesTypeNumber": 4,
"groupApplicationRoles": 60,
"instanceCompanyPlan": "Essentials",
"instanceDailyActiveUsers": 3300,
"instanceDatabaseConnectionTimeout": 2000,
"instanceDatabaseIdleTimeout": 120000,
"instanceDatabaseMaxLifetime": 240000,
"instanceDatabaseMaximumPoolSize": 10,
"instanceDatabaseMinimumIdle": -1,
"instanceDatabaseMysqlEnforceUtf8mb4": false,
"instanceDatabaseVersion": "8.3.0",
"instanceFirstTimeSetupProgress": {
"apiKeyConfigured": false,
"applicationConfigured": false,
"emailConfigured": false,
"licenseActivated": false
},
"instanceFusionauthAppHttpReadTimeout": 0,
"instanceFusionauthAppLocalMetricsEnabled": false,
"instanceFusionauthAppMemory": 25769803776,
"instanceFusionauthAppReindexBatchSize": 2500,
"instanceFusionauthAppReindexThreadCount": 5,
"instanceFusionauthAppSearchDefaultRefreshInterval": "1s",
"instanceFusionauthSearchHostsCount": 1,
"instanceJavaVersion": "17.0.8.1+1",
"instanceLicenseType": "Production",
"instanceNodes": 4,
"instanceProxyEnabled": false,
"instanceSearchType": "database",
"integrationsCleanspeakEnabled": false,
"integrationsKafkaEnabled": false,
"messengersGeneric": 100,
"messengersKafka": 0,
"messengersTwilio": 100,
"scimEnabled": 7,
"tenantBreachedPasswordDetection": 7,
"tenantClientCredentialsLambdaEnabled": 80,
"tenantConfirmChildTemplate": 30,
"tenantCustomAdminUserForm": 43,
"tenantCustomConnectors": 40,
"tenantCustomThemeUsed": 23,
"tenantEmailMfaEnabled": 8,
"tenantEmailUpdateTemplate": 30,
"tenantEmailVerifiedTemplate": 30,
"tenantFamilyEnabledTemplate": 8,
"tenantFamilyRequestTemplate": 30,
"tenantForgotPasswordTemplate": 30,
"tenantLoggedInApplicationsUsingSimpleThemesFromTenant": 4,
"tenantLoginIdInUseOnCreateTemplate": 30,
"tenantLoginIdInUseOnUpdateTemplate": 30,
"tenantLoginNewDeviceTemplate": 30,
"tenantLoginSuspiciousEmailTemplate": 30,
"tenantMultiFactorEmailMessageTemplate": 30,
"tenantMultiFactorSmsMessageTemplate": 25,
"tenantNumber": 102,
"tenantParentRegistrationTemplate": 30,
"tenantPasswordResetSuccessTemplate": 30,
"tenantPasswordUpdateTemplate": 30,
"tenantPasswordlessTemplate": 30,
"tenantSetPasswordTemplate": 30,
"tenantSmsMfaEnabled": 8,
"tenantTotpMfaEnabled": 102,
"tenantTwoFactorMethodAddTemplate": 30,
"tenantTwoFactorMethodRemoveTemplate": 30,
"tenantVerificationTemplate": 30,
"tenantWebauthnEnabled": 3,
"webhookAuditLogCreate": 30,
"webhookEventLogCreate": 40,
"webhookGroupCreate": 40,
"webhookGroupCreateComplete": 40,
"webhookGroupCreateTransactional": 40,
"webhookGroupDelete": 40,
"webhookGroupDeleteComplete": 40,
"webhookGroupDeleteTransactional": 40,
"webhookGroupMemberAdd": 40,
"webhookGroupMemberAddComplete": 40,
"webhookGroupMemberAddTransactional": 40,
"webhookGroupMemberRemove": 40,
"webhookGroupMemberRemoveComplete": 40,
"webhookGroupMemberRemoveTransactional": 40,
"webhookGroupMemberUpdate": 40,
"webhookGroupMemberUpdateComplete": 40,
"webhookGroupMemberUpdateTransactional": 40,
"webhookGroupUpdate": 40,
"webhookGroupUpdateComplete": 40,
"webhookGroupUpdateTransactional": 40,
"webhookJwtPublicKeyUpdate": 42,
"webhookJwtPublicKeyUpdateTransactional": 40,
"webhookJwtRefresh": 40,
"webhookJwtRefreshTokenRevoke": 42,
"webhookJwtRefreshTokenRevokeTransactional": 40,
"webhookJwtRefreshTransactional": 40,
"webhookKickstartSuccess": 40,
"webhookUserAction": 42,
"webhookUserBulkCreate": 42,
"webhookUserBulkCreateTransactional": 40,
"webhookUserCreate": 42,
"webhookUserCreateComplete": 40,
"webhookUserCreateTransactional": 40,
"webhookUserDeactivate": 42,
"webhookUserDeactivateTransactional": 40,
"webhookUserDelete": 42,
"webhookUserDeleteComplete": 40,
"webhookUserDeleteTransactional": 40,
"webhookUserEmailUpdate": 40,
"webhookUserEmailVerified": 42,
"webhookUserEmailVerifiedTransactional": 40,
"webhookUserIdentityProviderLink": 40,
"webhookUserIdentityProviderUnlink": 40,
"webhookUserLoginIdDuplicateCreate": 40,
"webhookUserLoginIdDuplicateUpdate": 40,
"webhookUserLoginFailed": 42,
"webhookUserLoginFailedTransactional": 40,
"webhookUserLoginNewDevice": 40,
"webhookUserLoginNewDeviceTransactional": 40,
"webhookUserLoginSuccess": 42,
"webhookUserLoginSuccessTransactional": 40,
"webhookUserLoginSuspicious": 40,
"webhookUserLoginSuspiciousTransactional": 40,
"webhookUserPasswordBreach": 40,
"webhookUserPasswordBreachTransactional": 40,
"webhookUserPasswordResetSend": 40,
"webhookUserPasswordResetStart": 40,
"webhookUserPasswordResetSuccess": 40,
"webhookUserPasswordUpdate": 40,
"webhookUserReactivate": 42,
"webhookUserReactivateTransactional": 40,
"webhookUserRegistrationCreate": 42,
"webhookUserRegistrationCreateComplete": 40,
"webhookUserRegistrationCreateTransactional": 40,
"webhookUserRegistrationDelete": 42,
"webhookUserRegistrationDeleteComplete": 40,
"webhookUserRegistrationDeleteTransactional": 40,
"webhookUserRegistrationUpdate": 42,
"webhookUserRegistrationUpdateComplete": 40,
"webhookUserRegistrationUpdateTransactional": 40,
"webhookUserRegistrationVerified": 42,
"webhookUserRegistrationVerifiedTransactional": 40,
"webhookUserTwoFactorMethodAdd": 40,
"webhookUserTwoFactorMethodRemove": 40,
"webhookUserUpdate": 42,
"webhookUserUpdateComplete": 40,
"webhookUserUpdateTransactional": 40
},
"statsVersion": "0.1.5",
"timings": {
"applicationAccessTokenPopulateLambda": 1,
"applicationActiveLoggedIntoNumber": 0,
"applicationActiveNumber": 3,
"applicationActiveRoleNumber": 1,
"applicationActsAsSamlv2Idp": 11,
"applicationAdvancedSelfServiceRegistrationEnabled": 5,
"applicationBasicSelfServiceRegistrationEnabled": 11,
"applicationCustomSelfServiceAccountForm": 1,
"applicationCustomThemeUsed": 0,
"applicationEmailUpdateTemplate": 0,
"applicationEmailVerificationTemplate": 1,
"applicationEmailVerifiedTemplate": 0,
"applicationEnabledIdentityProviders": 2,
"applicationEnabledIdentityProvidersWithLambdas": 1,
"applicationForgotPasswordTemplate": 0,
"applicationIdTokenPopulateLambda": 1,
"applicationLoggedInApplicationsUsingSimpleThemes": 4,
"applicationLoginApiAuthenticationDisabled": 3,
"applicationLoginApiRefreshTokensEnabled": 3,
"applicationLoginIdInUseOnCreateTemplate": 0,
"applicationLoginIdInUseOnUpdateTemplate": 1,
"applicationLoginNewDevice": 0,
"applicationLoginSuspiciousEmailTemplate": 0,
"applicationMagicLinks": 3,
"applicationMfaPolicy": 3,
"applicationMultiFactorEmailMessageTemplate": 0,
"applicationMultiFactorSmsMessageTemplate": 1,
"applicationNumber": 0,
"applicationOptionalScopes": 1,
"applicationPasswordResetSuccessTemplate": 1,
"applicationPasswordUpdateTemplate": 0,
"applicationPasswordlessTemplate": 1,
"applicationRequiredScopes": 0,
"applicationSamlv2PopulateLambda": 0,
"applicationSelfServiceRegistrationValidationLambda": 1,
"applicationSetPasswordTemplate": 0,
"applicationThirdParty": 2,
"applicationTwoFactorMethodAddTemplate": 1,
"applicationTwoFactorMethodRemoveTemplate": 0,
"applicationUserinfoPopulateLambda": 0,
"applicationVerificationTemplate": 0,
"atdCaptcha": 5,
"atdIpAcls": 0,
"atdRateLimiting": 5,
"entitiesEntityGrants": 1,
"entitiesPermissions": 0,
"entitiesTypeNumber": 0,
"groupApplicationRoles": 0,
"instanceCompanyPlan": 0,
"instanceDailyActiveUsers": 0,
"instanceDatabaseConnectionTimeout": 0,
"instanceDatabaseIdleTimeout": 0,
"instanceDatabaseMaxLifetime": 0,
"instanceDatabaseMaximumPoolSize": 0,
"instanceDatabaseMinimumIdle": 0,
"instanceDatabaseMysqlEnforceUtf8mb4": 0,
"instanceDatabaseVersion": 0,
"instanceElasticsearchVersion": 0,
"instanceFirstTimeSetupProgress": 0,
"instanceFusionauthAppHttpReadTimeout": 0,
"instanceFusionauthAppLocalMetricsEnabled": 0,
"instanceFusionauthAppMemory": 0,
"instanceFusionauthAppReindexBatchSize": 0,
"instanceFusionauthAppReindexThreadCount": 0,
"instanceFusionauthAppSearchDefaultRefreshInterval": 0,
"instanceFusionauthSearchHostsCount": 0,
"instanceJavaVersion": 1,
"instanceLicenseType": 0,
"instanceNodes": 0,
"instanceProxyEnabled": 0,
"instanceSearchType": 0,
"integrationsCleanspeakEnabled": 0,
"integrationsKafkaEnabled": 0,
"messengersGeneric": 5,
"messengersKafka": 5,
"messengersTwilio": 5,
"scimEnabled": 5,
"tenantBreachedPasswordDetection": 5,
"tenantClientCredentialsLambdaEnabled": 1,
"tenantConfirmChildTemplate": 0,
"tenantCustomAdminUserForm": 0,
"tenantCustomConnectors": 0,
"tenantCustomThemeUsed": 1,
"tenantEmailMfaEnabled": 4,
"tenantEmailUpdateTemplate": 0,
"tenantEmailVerifiedTemplate": 0,
"tenantFamilyEnabledTemplate": 5,
"tenantFamilyRequestTemplate": 0,
"tenantForgotPasswordTemplate": 0,
"tenantLoggedInApplicationsUsingSimpleThemesFromTenant": 1,
"tenantLoginIdInUseOnCreateTemplate": 0,
"tenantLoginIdInUseOnUpdateTemplate": 0,
"tenantLoginNewDeviceTemplate": 1,
"tenantLoginSuspiciousEmailTemplate": 0,
"tenantMultiFactorEmailMessageTemplate": 0,
"tenantMultiFactorSmsMessageTemplate": 0,
"tenantNumber": 1,
"tenantParentRegistrationTemplate": 0,
"tenantPasswordResetSuccessTemplate": 0,
"tenantPasswordUpdateTemplate": 1,
"tenantPasswordlessTemplate": 0,
"tenantSetPasswordTemplate": 0,
"tenantSmsMfaEnabled": 4,
"tenantTotpMfaEnabled": 5,
"tenantTwoFactorMethodAddTemplate": 0,
"tenantTwoFactorMethodRemoveTemplate": 0,
"tenantVerificationTemplate": 0,
"tenantWebauthnEnabled": 5,
"webhookAuditLogCreate": 1,
"webhookEventLogCreate": 0,
"webhookGroupCreate": 5,
"webhookGroupCreateComplete": 5,
"webhookGroupCreateTransactional": 6,
"webhookGroupDelete": 5,
"webhookGroupDeleteComplete": 4,
"webhookGroupDeleteTransactional": 6,
"webhookGroupMemberAdd": 5,
"webhookGroupMemberAddComplete": 4,
"webhookGroupMemberAddTransactional": 6,
"webhookGroupMemberRemove": 4,
"webhookGroupMemberRemoveComplete": 4,
"webhookGroupMemberRemoveTransactional": 6,
"webhookGroupMemberUpdate": 5,
"webhookGroupMemberUpdateComplete": 4,
"webhookGroupMemberUpdateTransactional": 6,
"webhookGroupUpdate": 4,
"webhookGroupUpdateComplete": 4,
"webhookGroupUpdateTransactional": 6,
"webhookJwtPublicKeyUpdate": 5,
"webhookJwtPublicKeyUpdateTransactional": 6,
"webhookJwtRefresh": 5,
"webhookJwtRefreshTokenRevoke": 4,
"webhookJwtRefreshTokenRevokeTransactional": 7,
"webhookJwtRefreshTransactional": 6,
"webhookKickstartSuccess": 1,
"webhookUserAction": 4,
"webhookUserBulkCreate": 4,
"webhookUserBulkCreateTransactional": 7,
"webhookUserCreate": 4,
"webhookUserCreateComplete": 5,
"webhookUserCreateTransactional": 6,
"webhookUserDeactivate": 4,
"webhookUserDeactivateTransactional": 7,
"webhookUserDelete": 4,
"webhookUserDeleteComplete": 5,
"webhookUserDeleteTransactional": 6,
"webhookUserEmailUpdate": 4,
"webhookUserEmailVerified": 5,
"webhookUserEmailVerifiedTransactional": 6,
"webhookUserIdentityProviderLink": 5,
"webhookUserIdentityProviderUnlink": 4,
"webhookUserLoginIdDuplicateCreate": 5,
"webhookUserLoginIdDuplicateUpdate": 4,
"webhookUserLoginFailed": 5,
"webhookUserLoginFailedTransactional": 6,
"webhookUserLoginNewDevice": 5,
"webhookUserLoginNewDeviceTransactional": 6,
"webhookUserLoginSuccess": 4,
"webhookUserLoginSuccessTransactional": 7,
"webhookUserLoginSuspicious": 4,
"webhookUserLoginSuspiciousTransactional": 6,
"webhookUserPasswordBreach": 5,
"webhookUserPasswordBreachTransactional": 6,
"webhookUserPasswordResetSend": 4,
"webhookUserPasswordResetStart": 5,
"webhookUserPasswordResetSuccess": 4,
"webhookUserPasswordUpdate": 4,
"webhookUserReactivate": 5,
"webhookUserReactivateTransactional": 6,
"webhookUserRegistrationCreate": 4,
"webhookUserRegistrationCreateComplete": 4,
"webhookUserRegistrationCreateTransactional": 6,
"webhookUserRegistrationDelete": 4,
"webhookUserRegistrationDeleteComplete": 4,
"webhookUserRegistrationDeleteTransactional": 7,
"webhookUserRegistrationUpdate": 4,
"webhookUserRegistrationUpdateComplete": 4,
"webhookUserRegistrationUpdateTransactional": 6,
"webhookUserRegistrationVerified": 4,
"webhookUserRegistrationVerifiedTransactional": 6,
"webhookUserTwoFactorMethodAdd": 5,
"webhookUserTwoFactorMethodRemove": 4,
"webhookUserUpdate": 4,
"webhookUserUpdateComplete": 4,
"webhookUserUpdateTransactional": 6
}
}
You can see here that we are collecting information about feature usage.
We will never collect anything personally identifiable about your users or customers. We may collect new metrics as we add new features, but those will be outlined in our release notes.
Here’s the breakdown of which FusionAuth deployment this feature will collect data from, and how it will happen:
- Self-hosted: For those users who self-host FusionAuth, you can choose to share your data with us. You can turn usage data collection off by API, setup wizard, or in the admin UI, Settings -> System -> Analytics & Improvements . You can also block the outbound request at the network—just block the hostname https://usage-stats.fusionauth.io.
- By default, any upgraded instances will NOT send usage data.
- By default, any new instances will send usage data, but you can opt out at instance creation or any time after.
- For those who choose to have us host your FusionAuth deployment in FusionAuth Cloud, data collection can not be disabled. This data helps us provide top-notch service and security.
- If you are on the Community plan, which all unlicensed versions of FusionAuth are, and enable this feature, we collect data but won’t tie it to your identity.
- If you are on the Licensed Community plan (available in version 1.52.0 and later, which enables passkeys and other features), we tie usage data to your account and identity.
- Other plans: We tie the data to your account and identity via the
instanceIdfield.
If you have questions or concerns, we’re here to chat. Drop us an email at devrel@fusionauth.io, or stop by the FusionAuth Community forums.
Disabling Data Collection
As outlined previously, users who self-host FusionAuth can disable data collection in three ways. If your instance is hosted on FusionAuth Cloud, then usage stats collection is part of the cloud hosting package. In this section, we will show you what each option looks like in both the admin UI and the setup wizard.
Self Hosting
You may disable usage stats collection as part of the setup process. To do so, uncheck the box at the bottom of the screen as shown here:
In some cases, you may decide to disable stats collection at a later time. You may do so by navigating to Settings -> System -> Analytics & Improvements in the admin UI and then moving the toggle as pictured here:
FusionAuth Cloud
If you are using FusionAuth Cloud, you will not see the same options as users who self-host. Your setup wizard option to disable stats collection will be disabled:
Within the admin UI, you’ll see a message explaining that usage stats collection cannot be disabled on FusionAuth Cloud instances.
Frequently Asked Questions
How Will This Impact Performance?
We have been developing this feature internally for quite some time. First, stats collection is intentionally throttled to not use additional resources. We then chose to only have the queries run once per day. We load tested with a variety of customer sizes and database configurations until we were able to collect this data without the collection impacting deployment performance. As a further failsafe, we have built in functionality that lets us dynamically disable any stat collection that does cause a problem, without the need to release or upgrade the instance.
How Does FusionAuth Ensure that My Customer Data Remains Private?
Your privacy, and that of your customers, is of the utmost importance to us. We have designed this system so that it only collects aggregated data, so that we do not see data on any one specific instance. Further, we do not collect any data that might reveal any information about your customers, such as webhook or OIDC URLs.
Who Owns the Data that You Collect? Who Decides How that Data is Used?
The FusionAuth license agreement covers the specifics of how we collect and use data. For more detailed information, please see the following sections:
- Section 2.1.6 covers self-hosting
- Section 2.2.4 discusses those hosting with FusionAuth cloud
- Section 5.2 covers FusionAuth’s licensing of collected data
- Section 5.3 has the information on consent for feedback
How Does Your Data Collection Impact Our Ability to Remain GDPR or CCPA Compliant?
We know how critical compliance is for your business. For many customers, it’s a primary driver in why they chose FusionAuth. Because of this, we made the choice to avoid collecting any personally identifiable information. We collect all stats in aggregate, so that there is no chance of violating confidentiality or compliance.
What Steps are You Taking to Avoid Scope Creep and Collecting Ever-More Data?
We’re aware of how easy it is to let a project like this expand. Who doesn’t like more data? Before we started this project, we decided on the following principles:
- Self-hosting customers will always be able to turn off usage data collection.
- We limit data collection to feature usage counts and software versions of the product.
- We will never collect anything that would let us know specific information about your configuration or your customers such as OIDC URLs, user emails or mail hosts.
- We will not collect new stats without releasing a new version of FusionAuth.
We want to do right by our customers. By making these public commitments, we are clear about what data we gather and what data we will not. We want to be transparent about data collection and prevent scope creep.