A valid request URL is required to generate request examples{
"audit_logs": [
{
"id": "<string>",
"typeURI": "<string>",
"eventTime": "2023-11-07T05:31:56Z",
"initiator": {
"id": "<string>",
"typeURI": "<string>",
"name": "<string>",
"host": "<string>"
},
"target": {
"id": "<string>",
"typeURI": "<string>",
"name": "<string>",
"host": "<string>"
},
"observer": {
"id": "<string>",
"typeURI": "<string>",
"name": "<string>",
"host": "<string>"
},
"signature": "<string>",
"createdAt": "2023-11-07T05:31:56Z",
"reason": {
"reasonCode": "<string>",
"reasonType": "<string>",
"message": "<string>"
},
"attachments": [
{
"name": "<string>",
"contentType": "<string>",
"content": "<string>"
}
],
"tags": [
"<string>"
],
"requestMethod": "<string>",
"requestPath": "<string>",
"requestIP": "<string>",
"userAgent": "<string>",
"duration": 123
}
],
"total": 123,
"page": 123,
"limit": 123,
"total_pages": 123,
"has_more": true,
"next_cursor": "<string>"
}List audit logs
Retrieves CADF-compliant audit log events with filtering, search, and
pagination via query parameters. Most filter dimensions accept either a
single value (singular parameter, e.g. action) or a JSON-encoded array
of values (plural parameter, e.g. actions); when both are supplied the
plural array takes precedence.
A valid request URL is required to generate request examples{
"audit_logs": [
{
"id": "<string>",
"typeURI": "<string>",
"eventTime": "2023-11-07T05:31:56Z",
"initiator": {
"id": "<string>",
"typeURI": "<string>",
"name": "<string>",
"host": "<string>"
},
"target": {
"id": "<string>",
"typeURI": "<string>",
"name": "<string>",
"host": "<string>"
},
"observer": {
"id": "<string>",
"typeURI": "<string>",
"name": "<string>",
"host": "<string>"
},
"signature": "<string>",
"createdAt": "2023-11-07T05:31:56Z",
"reason": {
"reasonCode": "<string>",
"reasonType": "<string>",
"message": "<string>"
},
"attachments": [
{
"name": "<string>",
"contentType": "<string>",
"content": "<string>"
}
],
"tags": [
"<string>"
],
"requestMethod": "<string>",
"requestPath": "<string>",
"requestIP": "<string>",
"userAgent": "<string>",
"duration": 123
}
],
"total": 123,
"page": 123,
"limit": 123,
"total_pages": 123,
"has_more": true,
"next_cursor": "<string>"
}Authorizations
Management API authentication for /api/* endpoints. Use the Authorization header with Bearer <API key>.
Virtual keys, dashboard/user/session tokens, and x-api-key headers are not supported on management APIs.
Query Parameters
Page number for offset-based pagination (default 1).
x >= 1Number of events to return per page (default 100, max 1000).
x <= 1000Opaque cursor for cursor-based pagination (from next_cursor).
Free-text search across audit event fields.
Filter by a single CADF action. The CADF action performed.
create, read, update, delete, authenticate, authorize, access, enable, disable, start, stop, backup, restore, export, import JSON array of CADF actions to filter by (OR match).
Filter by a single outcome. The CADF outcome of the action.
success, failure, pending JSON array of outcomes to filter by (OR match).
Filter by a single event type. Classifies the audit event.
activity, monitor, control JSON array of event types to filter by (OR match).
Filter by a single initiator ID.
JSON array of initiator IDs to filter by (OR match).
Filter by a single initiator resource type. The type of resource involved in an audit event (initiator or target).
user, api_key, system, provider, virtual_key, team, customer, role, permission, guardrail, mcp_client, mcp_tool_group, plugin, config, session, inference JSON array of initiator resource types to filter by (OR match).
Filter by a single target ID.
JSON array of target IDs to filter by (OR match).
Filter by a single target resource type. The type of resource involved in an audit event (initiator or target).
user, api_key, system, provider, virtual_key, team, customer, role, permission, guardrail, mcp_client, mcp_tool_group, plugin, config, session, inference JSON array of target resource types to filter by (OR match).
Filter events at or after this time (RFC3339 or YYYY-MM-DD).
Filter events at or before this time (RFC3339 or YYYY-MM-DD; a date is treated as end-of-day).
Relative time window that overrides start_date/end_date when set (e.g. 24h, 7d).
Filter by a single HTTP request method.
JSON array of HTTP request methods to filter by (OR match).
Filter by a single request path prefix.
JSON array of request path prefixes to filter by (OR match).
Filter by a single client IP address.
JSON array of client IP addresses to filter by (OR match).
JSON array of tags to filter by (any match).
Field to sort by (default event_time).
Sort direction.
asc, desc Response
Successful response
A paginated result of audit logs.
The list of audit events.
Show child attributes
Show child attributes
Total count of events matching the filter.
Current page number.
Page size.
Total number of pages.
Whether there are more results.
Opaque cursor for the next page (cursor-based pagination).
Was this page helpful?

