Step 4: Outcome and audit
⚡ 2 min readTerminal states
| State | SDK | MCP / hook |
|---|---|---|
| Verified | decision: 'stepup', status: 'verified' — proceed | Retry command; verified sid attached to level-2 API calls |
| Rejected | status: 'rejected' or overlay dismissed | Pending cleared; agent must start a new session |
| Denied (RBAC) | decision: 'deny' | deny-rbac-denied — no MFA offered |
| Expired | Poll timeout (~10 min TTL) | Same — create a new session |
Audit: always before and after step-up
| Stage | Tag | Severity | Webhook |
|---|---|---|---|
| Hook blocks, session opened | guard_gate_decision | medium | Yes (verify URL) |
| MFA success on auth page | {resource}:{action} or mcp:stepup | high | Yes |
| MFA failure / cancel | same tag | high, status: false | Yes |
| Retry after verified | guard_gate_decision (allow) | low | No |
Metadata on MFA rows includes type: mcp-stepup and method (passkey, totp, email-otp, …).
View in Console Audit Logs or MCP get_security_logs. Notification rules: Webhook.
Custom app events
After step-up succeeds, you can log business actions separately:
await transcodes.trackUserAction({
tag: 'documents:delete',
severity: 'high',
status: true,
metadata: { documentId: 'doc_123' },
});Related
Last updated on