Skip to main content
GET
/
audit
Query the audit log
curl --request GET \
  --url https://{hostname}/v1/audit \
  --header 'Authorization: Bearer <token>'
{
  "records": [
    {
      "request_id": "req_01JNQBC4X8Y2Z3A",
      "principal": {
        "type": "user",
        "user_id": "u_analyst_jdoe",
        "user_email": "analyst@example.com",
        "idp_session_id": "saml_sess_abc123",
        "api_key_id": "key_svc_01",
        "service_account_name": "integration-prod"
      },
      "organization_id": "org_example_001",
      "source_ip": "10.14.2.55",
      "logged_at": "2026-02-19T14:23:01Z",
      "requester_reference": "CASE-2026-00412",
      "identifiers_queried": 2
    }
  ],
  "total": 1482,
  "next_cursor": "<string>"
}

Authorizations

Authorization
string
header
required

JWT issued by your organization's SAML/OIDC identity provider after authentication. Required for user-attributed queries. The sub claim is recorded verbatim in the audit trail.

Query Parameters

from
string<date-time>

ISO 8601 start timestamp (inclusive).

to
string<date-time>

ISO 8601 end timestamp (inclusive).

user_id
string

Filter by the identity provider user ID.

limit
integer
default:100
Required range: 1 <= x <= 1000
cursor
string

Pagination cursor from a previous response.

Response

Audit records returned.

records
object[]
required
total
integer
required

Total number of records matching the filter (before pagination).

Example:

1482

next_cursor
string | null

Cursor to retrieve the next page. Null when no further pages exist.