Client Logging

Resources on the commercetools platform provide information on changes and modifications in the following fields:

The lastModifiedBy and createdBy fields are only present on resources created after 01/02/2019. If you update a resource created before 01/02/2019, the representation will contain the lastModifiedBy field.

Events tracked

Creating a resource adds the createdBy, createdAt, lastModifiedAt and lastModifiedBy fields.

Any update action called by an API client updates the lastModifiedBy and lastModifiedAt fields. These include modifications using the following:

  • Any client application calling the HTTP API.
  • Any client application calling the GraphQL API.
  • The Merchant Center.

Internal platform services do not update the lastModifiedBy field. In some cases they update the lastModifiedAt field. These include the following:

  • Modifications not using an API call or the Merchant Center. For example, when activating a Product Discount, product price updates are not tracked.
  • Modifications using the Admin Center.

Information in the fields

The lastModifiedBy and createdBy fields do not contain any personally identifiable information. However, they can contain the following as optional fields:

  • External user IDs.
  • References to Customer IDs.
  • Identifier for Anonymous Sessions.

The fields themselves are JSON objects. See the CreatedBy and LastModifiedBy Common Type for more information.

External user IDs

API clients can use the X-External-User-ID HTTP header to associate an external user ID with a modification. This can be useful for tracking changes made by users in an external service. For example, if you do not use the Merchant Center or our API authorization flows, using the X-External-User-ID HTTP header can provide more information in client logging fields than might otherwise be available.

The externalUserId field returns information passed in this header. The externalUserId field is present on most representations which are passed to your front-end applications. Do not pass personal information, such as user email addresses to the X-External-User-ID header.

When using the X-External-User-ID header, it is your responsibility to do one of the following:

  • Encrypt any information passed to the header.
  • To otherwise be GDPR and security compliant when using the header.