Client Logging

Resources within commercetools Composable Commerce provide information on changes and modifications in the following fields:

The lastModifiedBy and createdBy fields are only present on resources created after 2019-02-01. If you update a resource created before 2019-02-01, the representation will contain the lastModifiedBy field.

Events tracked

Creating a resource adds the createdBy, createdAt, lastModifiedAt and lastModifiedBy fields.

Update actions called by an API client update the lastModifiedBy and lastModifiedAt fields. If the updated resource does not differ from the current resource during an update action, the action might be skipped. In this case, the lastModifiedBy and lastModifiedAt fields will not be updated. API client updates are:

  • Any client application calling the HTTP API.
  • Any client application calling the GraphQL API.
  • The Merchant Center.

Modifications done without using an API call or the Merchant Center do not update the lastModifiedBy field. In some cases they update the lastModifiedAt field.

Example: Activating a Product Discount updates the price of a product. As this update is triggered as a background process, and not an API call or the Merchant Center, this price update is not tracked.

Information in the fields

The lastModifiedBy and createdBy fields do not contain any personally identifiable information. However, they can contain the following as optional fields:

  • External user IDs.
  • References to Customer IDs.
  • Identifier for Anonymous Sessions.

The fields themselves are JSON objects. See the CreatedBy and LastModifiedBy Common Type for more information.

External user IDs

API clients can use the X-External-User-ID HTTP header to associate an external user ID with a modification. This can be useful for tracking changes made by users in an external service. For example, if you do not use the Merchant Center or the API authorization flows, using the X-External-User-ID HTTP header can provide more information in client logging fields than might otherwise be available.

The externalUserId field returns information passed in this header. The externalUserId field is present on most representations which are passed to your front-end applications. Do not pass personal information, such as user email addresses to the X-External-User-ID header.

When using the X-External-User-ID header, it is your responsibility to do one of the following:

  • Encrypt any information passed to the header.
  • To otherwise be GDPR and security compliant when using the header.

To use external user IDs from an external OAuth server, provide an external OAuth token with external_user_id:{externalId} in the scope. This ID is then used in the externalUserId field.