> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# List audit logs

> Retrieves CADF-compliant audit log events with filtering, search, and
pagination via query parameters. Most filter dimensions accept either a
single value (singular parameter, e.g. `action`) or a JSON-encoded array
of values (plural parameter, e.g. `actions`); when both are supplied the
plural array takes precedence.




## OpenAPI

````yaml /openapi/openapi.json get /api/audit-logs
openapi: 3.1.0
info:
  title: Bifrost API
  description: >
    Bifrost HTTP Transport API for AI model inference and gateway management.


    This API provides a unified interface for interacting with multiple AI
    providers

    including OpenAI, Anthropic, Bedrock, Gemini, and more through a single API,

    along with comprehensive management APIs for configuring and monitoring the
    gateway.


    ## API Structure


    ### Unified Inference API (`/v1/*`)

    The primary API using Bifrost's unified format. Model parameters use the
    format

    `provider/model` (e.g., `openai/gpt-4`, `anthropic/claude-3-opus`).


    ### Async Inference API (`/v1/async/*`)

    Submit inference requests for asynchronous execution. Returns a job ID
    immediately

    and allows polling for results. Supports all inference types except batches,
    files,

    and containers.


    ### Provider Integration APIs

    Native provider-format APIs for drop-in compatibility:

    - `/openai/*` - OpenAI-compatible API

    - `/anthropic/*` - Anthropic-compatible API

    - `/genai/*` - Google GenAI (Gemini) compatible API

    - `/bedrock/*` - AWS Bedrock compatible API

    - `/cohere/*` - Cohere compatible API


    ### Framework Integration APIs

    Multi-provider proxy endpoints for AI frameworks:

    - `/litellm/*` - LiteLLM proxy with all provider formats

    - `/langchain/*` - LangChain compatible endpoints

    - `/pydanticai/*` - PydanticAI compatible endpoints


    ### Management APIs (`/api/*`)

    APIs for managing and monitoring the Bifrost gateway:

    - `/api/config` - Configuration management

    - `/api/providers` - Provider and API key management

    - `/api/plugins` - Plugin management

    - `/api/governance/*` - Virtual keys, teams, customers, budgets, rate
    limits, routing rules, and pricing overrides

    - `/api/logs` - Log search and analytics

    - `/api/mcp/*` - MCP (Model Context Protocol) client management

    - `/api/session/*` - Authentication and session management

    - `/api/cache/*` - Cache management

    - `/health` - Health check endpoint


    ## Fallbacks

    Requests can include fallback models that will be tried if the primary model
    fails.
  version: 1.0.0
  contact:
    name: Contact Us
    url: https://getmaxim.ai/bifrost
  license:
    name: Apache 2.0
    url: https://opensource.org/licenses/Apache-2.0
servers:
  - url: '{baseUrl}'
    description: Your Bifrost instance
    variables:
      baseUrl:
        default: http://localhost:8080
        description: Base URL of your Bifrost instance (e.g. https://bifrost.mycompany.com)
security:
  - BearerAuth: []
  - BasicAuth: []
  - ApiKeyAuth: []
tags:
  - name: Models
    description: Model listing and information
  - name: Chat Completions
    description: Chat-based text generation
  - name: Text Completions
    description: Text completion generation
  - name: Responses
    description: OpenAI Responses API compatible endpoints
  - name: OCR
    description: Optical character recognition for documents and images
  - name: Rerank
    description: Document reranking by relevance to a query
  - name: Embeddings
    description: Text embedding generation
  - name: Images
    description: Image generations, editing, and variations
  - name: Videos
    description: Video generation and management
  - name: Audio
    description: Speech synthesis and transcription
  - name: Count Tokens
    description: Token counting utilities
  - name: Batch
    description: Batch processing operations
  - name: Files
    description: File management operations
  - name: Containers
    description: Container management operations
  - name: Async Jobs
    description: Asynchronous job submission and retrieval endpoints
  - name: Realtime
    description: Realtime WebSocket and WebRTC endpoints
  - name: OpenAI Integration
    description: OpenAI-compatible API endpoints (/openai/*)
  - name: Azure Integration
    description: Azure OpenAI integration endpoints
  - name: Anthropic Integration
    description: Anthropic-compatible API endpoints (/anthropic/*)
  - name: GenAI Integration
    description: Google GenAI (Gemini) compatible API endpoints (/genai/*)
  - name: Bedrock Integration
    description: AWS Bedrock compatible API endpoints (/bedrock/*)
  - name: Cohere Integration
    description: Cohere compatible API endpoints (/cohere/*)
  - name: LiteLLM Integration
    description: LiteLLM proxy endpoints with multi-provider support (/litellm/*)
  - name: LangChain Integration
    description: LangChain compatible endpoints with multi-provider support (/langchain/*)
  - name: PydanticAI Integration
    description: >-
      PydanticAI compatible endpoints with multi-provider support
      (/pydanticai/*)
  - name: Health
    description: Health check endpoints
  - name: Configuration
    description: Configuration management endpoints
  - name: Session
    description: Session and authentication endpoints
  - name: Providers
    description: Provider management endpoints
  - name: Plugins
    description: Plugin management endpoints
  - name: MCP
    description: Model Context Protocol endpoints
  - name: Governance
    description: Virtual keys, teams, and customers management
  - name: Logging
    description: Log search and management endpoints
  - name: Cache
    description: Cache management endpoints
  - name: Vault
    description: Vault secret management endpoints
  - name: Skills
    description: Skills Repository management, marketplace, and download endpoints
  - name: Audit Logs
    description: >-
      CADF-compliant audit log search, export, and signature verification
      endpoints
paths:
  /api/audit-logs:
    get:
      tags:
        - Audit Logs
      summary: List audit logs
      description: |
        Retrieves CADF-compliant audit log events with filtering, search, and
        pagination via query parameters. Most filter dimensions accept either a
        single value (singular parameter, e.g. `action`) or a JSON-encoded array
        of values (plural parameter, e.g. `actions`); when both are supplied the
        plural array takes precedence.
      operationId: getAuditLogs
      parameters:
        - name: page
          in: query
          description: Page number for offset-based pagination (default 1).
          schema:
            type: integer
            minimum: 1
            default: 1
        - name: limit
          in: query
          description: Number of events to return per page (default 100, max 1000).
          schema:
            type: integer
            default: 100
            maximum: 1000
        - name: cursor
          in: query
          description: Opaque cursor for cursor-based pagination (from `next_cursor`).
          schema:
            type: string
        - name: search
          in: query
          description: Free-text search across audit event fields.
          schema:
            type: string
        - name: action
          in: query
          description: Filter by a single CADF action.
          schema:
            $ref: '#/components/schemas/AuditAction'
        - name: actions
          in: query
          description: JSON array of CADF actions to filter by (OR match).
          schema:
            type: string
          example: '["create","update"]'
        - name: outcome
          in: query
          description: Filter by a single outcome.
          schema:
            $ref: '#/components/schemas/AuditOutcome'
        - name: outcomes
          in: query
          description: JSON array of outcomes to filter by (OR match).
          schema:
            type: string
          example: '["success","failure"]'
        - name: event_type
          in: query
          description: Filter by a single event type.
          schema:
            $ref: '#/components/schemas/AuditEventType'
        - name: event_types
          in: query
          description: JSON array of event types to filter by (OR match).
          schema:
            type: string
          example: '["activity","control"]'
        - name: initiator_id
          in: query
          description: Filter by a single initiator ID.
          schema:
            type: string
        - name: initiator_ids
          in: query
          description: JSON array of initiator IDs to filter by (OR match).
          schema:
            type: string
        - name: initiator_type
          in: query
          description: Filter by a single initiator resource type.
          schema:
            $ref: '#/components/schemas/AuditResourceType'
        - name: initiator_types
          in: query
          description: JSON array of initiator resource types to filter by (OR match).
          schema:
            type: string
        - name: target_id
          in: query
          description: Filter by a single target ID.
          schema:
            type: string
        - name: target_ids
          in: query
          description: JSON array of target IDs to filter by (OR match).
          schema:
            type: string
        - name: target_type
          in: query
          description: Filter by a single target resource type.
          schema:
            $ref: '#/components/schemas/AuditResourceType'
        - name: target_types
          in: query
          description: JSON array of target resource types to filter by (OR match).
          schema:
            type: string
        - name: start_date
          in: query
          description: Filter events at or after this time (RFC3339 or `YYYY-MM-DD`).
          schema:
            type: string
        - name: end_date
          in: query
          description: >-
            Filter events at or before this time (RFC3339 or `YYYY-MM-DD`; a
            date is treated as end-of-day).
          schema:
            type: string
        - name: period
          in: query
          description: >-
            Relative time window that overrides `start_date`/`end_date` when set
            (e.g. `24h`, `7d`).
          schema:
            type: string
        - name: request_method
          in: query
          description: Filter by a single HTTP request method.
          schema:
            type: string
        - name: request_methods
          in: query
          description: JSON array of HTTP request methods to filter by (OR match).
          schema:
            type: string
        - name: request_path
          in: query
          description: Filter by a single request path prefix.
          schema:
            type: string
        - name: request_paths
          in: query
          description: JSON array of request path prefixes to filter by (OR match).
          schema:
            type: string
        - name: request_ip
          in: query
          description: Filter by a single client IP address.
          schema:
            type: string
        - name: request_ips
          in: query
          description: JSON array of client IP addresses to filter by (OR match).
          schema:
            type: string
        - name: tags
          in: query
          description: JSON array of tags to filter by (any match).
          schema:
            type: string
          example: '["security","auth"]'
        - name: sort_by
          in: query
          description: Field to sort by (default `event_time`).
          schema:
            type: string
            default: event_time
        - name: sort_order
          in: query
          description: Sort direction.
          schema:
            type: string
            enum:
              - asc
              - desc
            default: desc
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuditLogsResult'
        '400':
          description: Bad request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BifrostError'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BifrostError'
      security:
        - ManagementBearerAuth: []
components:
  schemas:
    AuditAction:
      type: string
      description: The CADF action performed.
      enum:
        - create
        - read
        - update
        - delete
        - authenticate
        - authorize
        - access
        - enable
        - disable
        - start
        - stop
        - backup
        - restore
        - export
        - import
    AuditOutcome:
      type: string
      description: The CADF outcome of the action.
      enum:
        - success
        - failure
        - pending
    AuditEventType:
      type: string
      description: Classifies the audit event.
      enum:
        - activity
        - monitor
        - control
    AuditResourceType:
      type: string
      description: The type of resource involved in an audit event (initiator or target).
      enum:
        - user
        - api_key
        - system
        - provider
        - virtual_key
        - team
        - customer
        - role
        - permission
        - guardrail
        - mcp_client
        - mcp_tool_group
        - plugin
        - config
        - session
        - inference
    AuditLogsResult:
      type: object
      description: A paginated result of audit logs.
      properties:
        audit_logs:
          type: array
          description: The list of audit events.
          items:
            $ref: '#/components/schemas/AuditEvent'
        total:
          type: integer
          format: int64
          description: Total count of events matching the filter.
        page:
          type: integer
          description: Current page number.
        limit:
          type: integer
          description: Page size.
        total_pages:
          type: integer
          description: Total number of pages.
        has_more:
          type: boolean
          description: Whether there are more results.
        next_cursor:
          type: string
          description: Opaque cursor for the next page (cursor-based pagination).
      required:
        - audit_logs
        - total
        - page
        - limit
        - total_pages
        - has_more
    BifrostError:
      type: object
      description: Error response from Bifrost
      properties:
        event_id:
          type: string
        type:
          type: string
        is_bifrost_error:
          type: boolean
        status_code:
          type: integer
        error:
          $ref: '#/components/schemas/ErrorField'
        extra_fields:
          $ref: '#/components/schemas/BifrostErrorExtraFields'
    AuditEvent:
      type: object
      description: A CADF-compliant audit event.
      properties:
        id:
          type: string
          description: Unique identifier for this event (UUID).
        typeURI:
          type: string
          description: Event type URI (e.g., "http://schemas.bifrost.io/audit/api/v1").
        eventType:
          $ref: '#/components/schemas/AuditEventType'
        eventTime:
          type: string
          format: date-time
          description: When the event occurred (RFC 3339).
        action:
          $ref: '#/components/schemas/AuditAction'
        outcome:
          $ref: '#/components/schemas/AuditOutcome'
        initiator:
          $ref: '#/components/schemas/AuditResource'
        target:
          $ref: '#/components/schemas/AuditResource'
        observer:
          $ref: '#/components/schemas/AuditResource'
        reason:
          $ref: '#/components/schemas/AuditReason'
        attachments:
          type: array
          items:
            $ref: '#/components/schemas/AuditAttachment'
        tags:
          type: array
          description: Searchable labels for categorization.
          items:
            type: string
        requestMethod:
          type: string
          description: HTTP method (GET, POST, etc.).
        requestPath:
          type: string
          description: HTTP request path.
        requestIP:
          type: string
          description: Client IP address.
        userAgent:
          type: string
          description: HTTP User-Agent header.
        duration:
          type: integer
          format: int64
          description: Request duration in milliseconds.
        signature:
          type: string
          description: HMAC-SHA256 signature for tamper detection.
        createdAt:
          type: string
          format: date-time
          description: When the record was created in the database.
      required:
        - id
        - typeURI
        - eventType
        - eventTime
        - action
        - outcome
        - initiator
        - target
        - observer
        - signature
        - createdAt
    ErrorField:
      type: object
      properties:
        type:
          type: string
        code:
          type: string
        message:
          type: string
        param:
          type: string
        event_id:
          type: string
    BifrostErrorExtraFields:
      type: object
      properties:
        provider:
          $ref: '#/components/schemas/ModelProvider'
        model_requested:
          type: string
        request_type:
          type: string
    AuditResource:
      type: object
      description: A CADF resource (initiator, target, or observer).
      properties:
        id:
          type: string
          description: Unique identifier of the resource.
        typeURI:
          type: string
          description: Resource type URI (e.g., "bifrost/user", "bifrost/api_key").
        name:
          type: string
          description: Human-readable name of the resource.
        host:
          type: string
          description: Hostname or IP address associated with the resource.
      required:
        - id
        - typeURI
    AuditReason:
      type: object
      description: The CADF reason for an outcome (especially for failures).
      properties:
        reasonCode:
          type: string
          description: Machine-readable code (e.g., "401", "FORBIDDEN").
        reasonType:
          type: string
          description: Category of reason (e.g., "HTTP", "policy").
        message:
          type: string
          description: Human-readable description.
    AuditAttachment:
      type: object
      description: Additional CADF data attached to an event.
      properties:
        name:
          type: string
          description: Identifies the attachment.
        contentType:
          type: string
          description: MIME type of the content.
        content:
          type: string
          description: Attachment data (typically a JSON string).
      required:
        - name
        - contentType
        - content
    ModelProvider:
      type: string
      description: AI model provider identifier
      enum:
        - openai
        - azure
        - anthropic
        - bedrock
        - cohere
        - vertex
        - vllm
        - mistral
        - ollama
        - groq
        - sgl
        - parasail
        - perplexity
        - replicate
        - cerebras
        - gemini
        - openrouter
        - elevenlabs
        - huggingface
        - nebius
        - xai
        - runway
        - fireworks
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: >
        Bearer token authentication. Use your provider API key or Bifrost
        authentication token.

        Virtual keys (prefixed with `sk-bf-`) can also be passed here.
    BasicAuth:
      type: http
      scheme: basic
      description: |
        Basic authentication using username and password.
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key
      description: |
        API key authentication via the `x-api-key` header.
        Virtual keys (prefixed with `sk-bf-`) can also be passed here.
    ManagementBearerAuth:
      type: http
      scheme: bearer
      description: >
        Management API authentication for `/api/*` endpoints. Use the
        `Authorization` header with `Bearer <API key>`.

        Virtual keys, dashboard/user/session tokens, and `x-api-key` headers are
        not supported on management APIs.

````