Audit log
Read the immutable record of every administrative action in your organization.
Every state change inside TokenID — role grants, policy edits, retention changes, data deletions, signing-key registrations, kill-switch invocations — writes a row to the org audit log. The log is append-only, scoped per organization, and survives org-data erasure so you keep proof of who did what, when, even after a GDPR purge.
List audit-log records
/api/v1/audit-logReturns the org's audit history in reverse-chronological order, paginated.
Query parameters
| Parameter | Type | Description |
|---|---|---|
actor_id |
UUID | Filter to actions taken by a specific user |
action |
string | Exact match on action key, e.g. api_keys.write, org_data.delete |
since |
ISO 8601 | Include records with recorded_at >= since |
until |
ISO 8601 | Include records with recorded_at < until |
page |
integer | Page number (1-indexed). Default 1 |
page_size |
integer | Records per page. Default 50, max 200 |
Response
{
"items": [
{
"id": "aud_01abc…",
"actor_id": "usr_01def…",
"action": "api_keys.delete",
"resource_type": "api_keys",
"resource_id": "key_01ghi…",
"metadata": {
"path": "/api/v1/api-keys/key_01ghi…",
"method": "DELETE"
},
"recorded_at": "2026-05-21T08:00:00Z"
}
],
"total": 1,
"page": 1,
"page_size": 50
}
Field reference
| Field | Description |
|---|---|
id |
Audit-log row UUID |
actor_id |
User who performed the action. null for system-driven jobs |
action |
<resource>.<verb> — one of write, delete, invoke |
resource_type |
Resource class (api_keys, org_data, kill_switch, …) |
resource_id |
UUID of the affected resource, if applicable |
metadata |
Request context — path, HTTP method, and any per-action extras |
recorded_at |
UTC timestamp the action was recorded |
What gets logged
Only sensitive actions write rows — write, delete, and invoke. Reads do not, on purpose, so the log stays small and focused on evidence. Examples:
| Action | Triggered by |
|---|---|
api_keys.write / api_keys.delete |
Creating or revoking an API key |
connections.write / connections.delete |
Connecting or removing a provider integration |
enforcement_config.write |
Editing budget caps or kill-switch thresholds |
kill_switch.invoke |
Tripping the kill switch (manual or automated) |
org_data.delete |
Full GDPR erasure of org data |
Immutability
Rows are insert-only — there is no PATCH or DELETE endpoint. The records survive org_data.delete: even when raw events are purged, the audit log preserves the row showing who invoked the purge, when, and against which org. That row is the evidence regulators ask for.
Authorization
Reading the audit log requires audit_log:read, which is granted to owner, admin, and billing roles. See Access control for the full matrix.