Skip to main content
GET
/
api
/
audit-logs
Error
A valid request URL is required to generate request examples
{
  "audit_logs": [
    {
      "id": "<string>",
      "typeURI": "<string>",
      "eventTime": "2023-11-07T05:31:56Z",
      "initiator": {
        "id": "<string>",
        "typeURI": "<string>",
        "name": "<string>",
        "host": "<string>"
      },
      "target": {
        "id": "<string>",
        "typeURI": "<string>",
        "name": "<string>",
        "host": "<string>"
      },
      "observer": {
        "id": "<string>",
        "typeURI": "<string>",
        "name": "<string>",
        "host": "<string>"
      },
      "signature": "<string>",
      "createdAt": "2023-11-07T05:31:56Z",
      "reason": {
        "reasonCode": "<string>",
        "reasonType": "<string>",
        "message": "<string>"
      },
      "attachments": [
        {
          "name": "<string>",
          "contentType": "<string>",
          "content": "<string>"
        }
      ],
      "tags": [
        "<string>"
      ],
      "requestMethod": "<string>",
      "requestPath": "<string>",
      "requestIP": "<string>",
      "userAgent": "<string>",
      "duration": 123
    }
  ],
  "total": 123,
  "page": 123,
  "limit": 123,
  "total_pages": 123,
  "has_more": true,
  "next_cursor": "<string>"
}

Authorizations

Authorization
string
header
required

Management API authentication for /api/* endpoints. Use the Authorization header with Bearer <API key>. Virtual keys, dashboard/user/session tokens, and x-api-key headers are not supported on management APIs.

Query Parameters

page
integer
default:1

Page number for offset-based pagination (default 1).

Required range: x >= 1
limit
integer
default:100

Number of events to return per page (default 100, max 1000).

Required range: x <= 1000
cursor
string

Opaque cursor for cursor-based pagination (from next_cursor).

Free-text search across audit event fields.

action
enum<string>

Filter by a single CADF action. The CADF action performed.

Available options:
create,
read,
update,
delete,
authenticate,
authorize,
access,
enable,
disable,
start,
stop,
backup,
restore,
export,
import
actions
string

JSON array of CADF actions to filter by (OR match).

outcome
enum<string>

Filter by a single outcome. The CADF outcome of the action.

Available options:
success,
failure,
pending
outcomes
string

JSON array of outcomes to filter by (OR match).

event_type
enum<string>

Filter by a single event type. Classifies the audit event.

Available options:
activity,
monitor,
control
event_types
string

JSON array of event types to filter by (OR match).

initiator_id
string

Filter by a single initiator ID.

initiator_ids
string

JSON array of initiator IDs to filter by (OR match).

initiator_type
enum<string>

Filter by a single initiator resource type. The type of resource involved in an audit event (initiator or target).

Available options:
user,
api_key,
system,
provider,
virtual_key,
team,
customer,
role,
permission,
guardrail,
mcp_client,
mcp_tool_group,
plugin,
config,
session,
inference
initiator_types
string

JSON array of initiator resource types to filter by (OR match).

target_id
string

Filter by a single target ID.

target_ids
string

JSON array of target IDs to filter by (OR match).

target_type
enum<string>

Filter by a single target resource type. The type of resource involved in an audit event (initiator or target).

Available options:
user,
api_key,
system,
provider,
virtual_key,
team,
customer,
role,
permission,
guardrail,
mcp_client,
mcp_tool_group,
plugin,
config,
session,
inference
target_types
string

JSON array of target resource types to filter by (OR match).

start_date
string

Filter events at or after this time (RFC3339 or YYYY-MM-DD).

end_date
string

Filter events at or before this time (RFC3339 or YYYY-MM-DD; a date is treated as end-of-day).

period
string

Relative time window that overrides start_date/end_date when set (e.g. 24h, 7d).

request_method
string

Filter by a single HTTP request method.

request_methods
string

JSON array of HTTP request methods to filter by (OR match).

request_path
string

Filter by a single request path prefix.

request_paths
string

JSON array of request path prefixes to filter by (OR match).

request_ip
string

Filter by a single client IP address.

request_ips
string

JSON array of client IP addresses to filter by (OR match).

tags
string

JSON array of tags to filter by (any match).

sort_by
string
default:event_time

Field to sort by (default event_time).

sort_order
enum<string>
default:desc

Sort direction.

Available options:
asc,
desc

Response

Successful response

A paginated result of audit logs.

audit_logs
object[]
required

The list of audit events.

total
integer<int64>
required

Total count of events matching the filter.

page
integer
required

Current page number.

limit
integer
required

Page size.

total_pages
integer
required

Total number of pages.

has_more
boolean
required

Whether there are more results.

next_cursor
string

Opaque cursor for the next page (cursor-based pagination).