Dashboard Get started

Every state change inside TokenID — role grants, policy edits, retention changes, data deletions, signing-key registrations, kill-switch invocations — writes a row to the org audit log. The log is append-only, scoped per organization, and survives org-data erasure so you keep proof of who did what, when, even after a GDPR purge.

List audit-log records

GET/api/v1/audit-log

Returns the org's audit history in reverse-chronological order, paginated.

Query parameters

Parameter Type Description
actor_id UUID Filter to actions taken by a specific user
action string Exact match on action key, e.g. api_keys.write, org_data.delete
since ISO 8601 Include records with recorded_at >= since
until ISO 8601 Include records with recorded_at < until
page integer Page number (1-indexed). Default 1
page_size integer Records per page. Default 50, max 200

Response

{
  "items": [
    {
      "id": "aud_01abc…",
      "actor_id": "usr_01def…",
      "action": "api_keys.delete",
      "resource_type": "api_keys",
      "resource_id": "key_01ghi…",
      "metadata": {
        "path": "/api/v1/api-keys/key_01ghi…",
        "method": "DELETE"
      },
      "recorded_at": "2026-05-21T08:00:00Z"
    }
  ],
  "total": 1,
  "page": 1,
  "page_size": 50
}

Field reference

Field Description
id Audit-log row UUID
actor_id User who performed the action. null for system-driven jobs
action <resource>.<verb> — one of write, delete, invoke
resource_type Resource class (api_keys, org_data, kill_switch, …)
resource_id UUID of the affected resource, if applicable
metadata Request context — path, HTTP method, and any per-action extras
recorded_at UTC timestamp the action was recorded

What gets logged

Only sensitive actions write rows — write, delete, and invoke. Reads do not, on purpose, so the log stays small and focused on evidence. Examples:

Action Triggered by
api_keys.write / api_keys.delete Creating or revoking an API key
connections.write / connections.delete Connecting or removing a provider integration
enforcement_config.write Editing budget caps or kill-switch thresholds
kill_switch.invoke Tripping the kill switch (manual or automated)
org_data.delete Full GDPR erasure of org data

Immutability

Rows are insert-only — there is no PATCH or DELETE endpoint. The records survive org_data.delete: even when raw events are purged, the audit log preserves the row showing who invoked the purge, when, and against which org. That row is the evidence regulators ask for.

Authorization

Reading the audit log requires audit_log:read, which is granted to owner, admin, and billing roles. See Access control for the full matrix.

Cross-references