Audit Log
Every administrator and API-key mutation in your organization lands in a single audit stream. The Audit Log page filters, paginates, and exports that stream for incident response, change-history reviews, and compliance evidence.
Where this lives
Sidebar → Audit Log under the Overview section, at /organization/audit-log. Visible to org admins only.
What is recorded
Mutations are audited; read-only actions (list, get, dashboard queries) are not. Examples of audited actions include user.invited, user.updated, user.removed, team.created, assignment.created, assignment.updated, apikey.created, apikey.revoked, webhook.created, and sarif.ingested. The full list of action names ever seen by your tenant is available through the Action filter dropdown.
Each row carries:
| Field | Meaning |
|---|---|
createdAt | UTC timestamp of the change. |
action | Dotted identifier for what happened. |
actorEmail + actorRole | Who performed the action. Admin UI mutations carry the human's email and the org_admin role. Public-API mutations carry apikey:<api-key-uuid> and the role api_key. |
targetType / targetId / targetLabel | The resource that was changed. The label is a short human-readable description used in the UI. |
metadata | JSON-stringified context describing exactly what changed (e.g. before/after deadlines on an assignment, the scope set on a new API key). |
ipAddress | Source IP of the request that caused the change. |
Filtering
The page combines four filters; they all narrow the result set together, and an empty filter is treated as "any value".
- Action — exact-match against the action name. The dropdown lists every action your tenant has ever recorded.
- Actor email — exact-match against the actor identifier. Type a human email for admin UI mutations or paste
apikey:<api-key-uuid>to isolate a specific API key's activity. - From / To — inclusive UTC date bounds.
- Page size — 50 by default; capped at 200.
CSV export
Click Export CSV at the top right to download the filtered result set. The export includes every column listed above plus a metadata column that retains the original JSON string — useful when shipping the file into a SIEM or a spreadsheet that can parse JSON cells.
Programmatic access
The same audit stream is reachable from the public API via GET /api/public/v1/audit-log with the same query parameters as the UI. See API → Audit Log for the JSON envelope and pagination rules. Common automations include hourly incremental polls into a SIEM (Datadog, Splunk, Elastic) and weekly dumps into a compliance evidence store.
What is not stored
The audit row stores actor email, role, target metadata, IP address, and a JSON metadata blob. It does not store request bodies, response bodies, or User-Agent strings on the returned row. The User-Agent is captured server-side for forensics but is not surfaced through either the admin UI or the public API today.