# List audit log entries

Retrieves a paginated list of audit log entries with flexible filtering options. Returns security-relevant actions performed by users, accounts, or services within the platform.

RBAC: requires Audit.Read

Endpoint: GET /api/v1/admin/audit_log
Version: 1.0
Security: 

## Query parameters:

  - `accountId` (string,null)
    Filter by account ID (mutually exclusive with email parameter)
    Example: "ac_01hxcvk1hjexere4pvtrj0ymqq"

  - `action` (array,null)
    Filter by specific actions (e.g., CREATE, UPDATE, DELETE). Multiple values allowed.
    Enum: "CREATE", "UPDATE", "DELETE", "PURGE", "ROLE_CHANGE", "USERNAME_CHANGE", "EMAIL_CHANGE", "PHONE_CHANGE", "STATE_CHANGE", "APPROVE", "REJECT", "INSTALL", "ENABLE", "DISABLE", "IMPERSONATE_REQUEST", "IMPERSONATE", "ACTION", "JOIN", "LEAVE", "INVITE", "JOIN_REQUEST"

  - `appId` (string,null)
    Filter by application ID
    Example: "ap_01hxcvk1hjexere4pvtrj0ymqq"

  - `domainSearch` (string,null)
    Search for entries related to specific domains
    Example: "example.com"

  - `email` (string,null)
    Filter by email address (mutually exclusive with accountId parameter)
    Example: "user@example.com"

  - `group` (array,null)
    Filter by audit log groups (e.g., ACCOUNT, USER, APP). Multiple values allowed.
    Enum: "ACCOUNT", "USER", "APP", "RULE", "SIGNUP", "POST", "DOMAIN_BLOCK", "EMAIL_BLOCK", "EMAIL_ALLOW", "GROUP", "GROUP_MEMBER", "GROUP_QUESTION", "SERVICE"

  - `groupId` (string,null)
    Filter by group ID
    Example: "gr_01hxcvk1hjexere4pvtrj0ymqq"

  - `lastId` (string,null)
    Get older records (records with IDs less than this value) Alias maxId/max_id
    Example: "us_01hxcvk1hjexere4pvtrj0ymqq"

  - `limit` (integer,null)

  - `offset` (integer,null)

  - `ruleId` (string,null)
    Filter by rule ID
    Example: "ru_01hxcvk1hjexere4pvtrj0ymqq"

  - `sortBy` (string,null)

  - `sortOrder` (string,null)

  - `untilId` (string,null)
    Get newer records (records with IDs greater than this value) Alias minId/min_id
    Example: "us_01hxcvk1hjexere4pvtrj0ymqq"

  - `userId` (string,null)
    Filter by user ID (mutually exclusive with username parameter)
    Example: "us_01hxcvk1hjexere4pvtrj0ymqq"

  - `username` (string,null)
    Filter by username with optional domain (e.g., 'john' or '@john@example.com'). Mutually exclusive with userId parameter.
    Example: "@john@example.com"

## Response 200 fields (application/json):

  - `list` (array, required)
    List of audit log records

  - `list.logGroup` (string, required)
    Group of the audit log
    Enum: "ACCOUNT", "USER", "APP", "RULE", "SIGNUP", "POST", "DOMAIN_BLOCK", "EMAIL_BLOCK", "EMAIL_ALLOW", "GROUP", "GROUP_MEMBER", "GROUP_QUESTION", "SERVICE"

  - `list.logAction` (string, required)
    Action performed in the audit log
    Enum: "CREATE", "UPDATE", "DELETE", "PURGE", "ROLE_CHANGE", "USERNAME_CHANGE", "EMAIL_CHANGE", "PHONE_CHANGE", "STATE_CHANGE", "APPROVE", "REJECT", "INSTALL", "ENABLE", "DISABLE", "IMPERSONATE_REQUEST", "IMPERSONATE", "ACTION", "JOIN", "LEAVE", "INVITE", "JOIN_REQUEST"

  - `list.happenedAt` (string, required)
    Timestamp when the action happened
    Example: "2022-03-10T16:15:50Z"

  - `list.ip` (object, required)
    IP address from which the action was performed

  - `list.ip.multicastAddress` (boolean)

  - `list.ip.anyLocalAddress` (boolean)

  - `list.ip.loopbackAddress` (boolean)

  - `list.ip.linkLocalAddress` (boolean)

  - `list.ip.siteLocalAddress` (boolean)

  - `list.ip.MCGlobal` (boolean)

  - `list.ip.MCNodeLocal` (boolean)

  - `list.ip.MCLinkLocal` (boolean)

  - `list.ip.MCSiteLocal` (boolean)

  - `list.ip.MCOrgLocal` (boolean)

  - `list.ip.hostName` (string)

  - `list.ip.address` (string)

  - `list.ip.hostAddress` (string)

  - `list.executor` (object, required)
    Entity that executed the action

  - `list.executor.accountId` (string,null)
    ID of the account that performed the action
    Example: "us_01hxcvk1hjexere4pvtrj0ymqq"

  - `list.executor.userId` (string,null)
    ID of the user that performed the action
    Example: "us_01hxcvk1hjexere4pvtrj0ymqq"

  - `list.executor.email` (string,null)
    Email of the account that performed the action
    Example: "john@example.com"

  - `list.executor.username` (string,null)
    Username of the user that performed the action
    Example: "john_smith"

  - `list.executor.serviceName` (string,null)
    Name of the service that performed the action
    Example: "system"

  - `list.data` (object, required)
    Additional data related to the action

  - `total` (integer, required)
    Total number of records matching the query
    Example: 42

## Response 400 fields (application/json):

  - `errorCode` (string, required)
    Error code

  - `message` (string, required)
    Error message

  - `docUrl` (string)
    Link to documentation

## Response 403 fields (application/json):

  - `errorCode` (string, required)
    Error code

  - `message` (string, required)
    Error message

  - `docUrl` (string)
    Link to documentation