Audit logs
Querying, retention, and exporting your workspace audit log.
Last updated May 12, 2026
What's audit-logged
Every meaningful action taken on your workspace lands in the audit log:
- Authentication events (sign-in, sign-out, MFA enroll, password reset).
- Team-management events (invite, role change, remove).
- Content events (create, edit, submit-for-review, approve, publish, request-revisions).
- Audit events (start, complete, fail, schedule, override cadence).
- Integration events (connect, disconnect, rotate, publish).
- API events (key create, revoke, rotate; per-request hits).
- Compliance events (block, override, custom-rule trigger).
- Super-admin events (any staff touch, including read-only).
Each entry includes: timestamp, actor (user or service), action, target entity, IP, user agent, and event-specific metadata.
Accessing the log
Settings → Audit log.
The default view shows the last 30 days, sorted newest-first. Use the filter bar to scope by:
- Action. Prefix-match supported —
audit.*shows every audit-related event. - Actor. User, API key, service account, super admin.
- Date range.
- Target entity. Filter by a specific company, content item, or integration.
The CSV export
From the filter bar, Export → CSV produces a CSV of the currently-filtered events. Columns:
timestamp, actor_id, actor_type, actor_name, action,
entity_type, entity_id, ip, user_agent, metadata_json
The metadata_json column is the per-event payload. Open in Excel or jq for analysis.
Exports run synchronously up to 10,000 rows. Beyond that, the export queues and we email you a download link when ready.
Retention
| Tier | Retention |
|---|---|
| Audit | 90 days |
| Strategy | 1 year |
| Managed | 2 years |
| Full Domination | 7 years |
Once an event ages past your retention window, it's deleted irreversibly. Exports older than 90 days are NOT recoverable — back them up if you need long-term retention.
Querying programmatically
Domination tier exposes GET /v1/audit-log with the same filters as the UI plus cursor pagination. See API overview.
Example: pull all of yesterday's API events:
curl "https://api.aidomination.app/v1/audit-log?action=api.*&from=2026-05-11&to=2026-05-12" \
-H "Authorization: Bearer $AD_TOKEN"
Common queries
| Query | Filter |
|---|---|
| Who approved a specific draft? | action=content.approved, entity = the draft id |
| What did this departing employee do in their last month? | actor_id = their user id, date range = last 30 days |
| Did a staff member impersonate anyone last week? | action=session.impersonation.* |
| Were there any compliance overrides? | action=compliance.override |
Alerts on audit-log events
Domination tier supports alerting on audit-log patterns. Settings → Audit log → Alerts:
- Pick an action pattern (e.g.
api.key.created). - Choose a notification target (email, Slack channel, webhook).
- Add filters (specific actors, specific entities).
Useful for detecting suspicious behaviour: API key created by anyone other than a known list, super-admin impersonation outside business hours, etc.
Tamper resistance
Audit-log entries are append-only at the database layer. We don't expose update or delete operations on the table even to engineering — modifications would require a write-mode database migration, which is itself audit-logged in our internal infrastructure.
The on-disk hash of each entry is computed and stored; periodic integrity scans verify no entry has been tampered with. Anomalies surface to engineering.
Privacy
Audit-log entries you generate live in your workspace only. We do NOT cross-pollinate audit data across workspaces. Aggregate metrics (e.g. "average API requests per workspace") may inform product decisions; the individual rows do not.
Was this article helpful?