Querying and Filtering Audit Logs

Investigate organization activity using supported action and target filters, pagination, and client-side analysis.

AuthOS release 0.8.2 API v1 Latest-only documentation
Updated Jul 15, 2026 Edit this page
On this page

The audit-log endpoint supports server-side filters for action, target type, and target ID. Use pagination for complete investigations. Filtering by actor, success, IP address, or date is not currently supported by the endpoint and must be applied to retrieved pages on the client.

Common Use Cases

Security Investigation

Scenario: Investigate suspicious activity after detecting an anomaly.

# 1. Find all actions by a specific user
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
  -H "Authorization: Bearer ..." | jq '.logs[] | select(.actor.email == "suspect@acme.com")'

# 2. Check for service deletions
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?action=service.deleted" \
  -H "Authorization: Bearer ..."

# 3. Review failed actions
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
  -H "Authorization: Bearer ..." | jq '.logs[] | select(.success == false)'

# 4. Check actions from unusual IP
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
  -H "Authorization: Bearer ..." | jq '.logs[] | select(.ip_address == "suspicious.ip.address")'

Configuration Change Tracking

Scenario: Track changes to a specific service.

# Get all events for a specific service
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?target_type=service&target_id=service-uuid" \
  -H "Authorization: Bearer ..."

# Example response shows:
# - When service was created
# - All configuration updates
# - OAuth credential changes
# - API key creations/deletions
# - Plan additions

User Activity Report

Scenario: Review all actions performed by a team member before offboarding.

# 1. Get all audit logs
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=1000" \
  -H "Authorization: Bearer ..."

# 2. Filter by actor email on client
jq '.logs[] | select(.actor.email == "leaving-employee@acme.com")' audit_logs.json

# 3. Group by action type
jq 'group_by(.action) | map({action: .[0].action, count: length})' filtered_logs.json

Query strategy

  1. Start with a narrow server-side action or target filter when possible.
  2. Request at most 100 records per page and follow pagination metadata.
  3. Apply unsupported actor, success, address, or date filters locally.
  4. Preserve the raw export before transforming evidence.
  5. Record query parameters, collection time, and page coverage with the result.