The Observability tab (the dashboard sometimes shows it as Analytics) gives you a four-panel snapshot of your application's auth health. The page is a sidebar of sub-pages, with Overview as the landing screen.
┌─────────────────────────┬─────────────────────────┐
│ Authentication Requests │ User Signups │
│ successful / failed │ new users per day │
├─────────────────────────┼─────────────────────────┤
│ Security Events │ Account Activity │
│ failed-login reasons │ locked / MFA-enabled │
└─────────────────────────┴─────────────────────────┘
Pick a date range from the header (7 days / 30 days / 90 days / custom). Every chart updates together.
Two-line area chart: successful logins vs failed logins per day. The successful line should track your DAU; the failed line is your noise floor — sustained spikes are usually credential-stuffing or brute-force runs and warrant a look at the Security page.
A click on the chart drills into the Security page filtered to that date.
Single-line area chart: new accounts created per day. Click anything to land on the Users page filtered to that date range. Useful for verifying that a marketing push actually translated to signups, or that your latest signup rule didn't strangle the funnel.
Bar chart: count of failed logins broken down by reason (invalid_password, account_locked, user_not_found, mfa_required_but_missing, etc.). The shape of the distribution tells you what to fix next:
Tall invalid_password bar → users forgetting passwords. Improve the magic-link or passkey signage.
Tall user_not_found bar → either a typo-prone email signup field or someone enumerating users. Pair with the Security page to investigate.
Tall mfa_required_but_missing → users hit the MFA wall mid-flow. Often a sign your enforcement just turned on without a clear migration message.
If there's nothing to chart, the panel shows "No security events in this period." That's good news.
Bar chart with two cards: Locked Accounts and MFA Enabled. The first should trend toward zero (it's a count of users currently in the lockout state). The second should trend up as your enforcement matures.
Failed logins by reason — same chart as above, plus a daily timeline.
Top offending IPs — IPs with the most failed login attempts. Useful when fingerprinting an attacker.
Top targeted accounts — accounts that are receiving the most failed attempts. Pair with account lockout thresholds.
Anomalies — sudden spikes vs the trailing baseline.
The page emits an alert badge when activity crosses a threshold — sustained > 50 failures/min, > 10× normal traffic on a single IP, etc. Tune thresholds via the Settings sub-page (defaults are sensible for most apps).
OAuth (split per provider — Google, Microsoft, GitHub, Apple)
Passkey
SAML SSO
Read it as a "what should I prioritize" diagnostic. If 90% of sign-ins are via password and only 2% via passkey, and you've enabled passkey for a month, the passkey CTA isn't visible enough on Authaz Sign-In.
Bookmark the Security page if you're on-call for security incidents. The first signal of a credential-stuffing run shows up there 5–15 minutes before your support inbox.
Treat MAU as a leading indicator, not a billing surprise. If MAU is climbing faster than expected, you're either growing well or someone's automating signups. Look at Auth Methods to see which.
Cohort retention reveals onboarding issues. Steep drop from week 1 → week 2 means the post-signup experience isn't sticking.
