Query the audit log

GET

/audit

const url = 'https://your-org.evershell.ai/v1/audit?order=asc&limit=100';
const options = {method: 'GET', headers: {Authorization: 'Bearer <token>'}};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request GET \
  --url 'https://your-org.evershell.ai/v1/audit?order=asc&limit=100' \
  --header 'Authorization: Bearer <token>'

Permissions: audit:read or audit:read:own — unscoped sees every event in the org; :own narrows to events attributable to the caller via user_id.

See Audit events for the full event-type catalog and detail shapes.

Pagination is opaque cursor-based: each response carries a cursor field when the page filled the requested limit; pass that value back as ?cursor=... for the next page. When cursor is absent, the page is the last one.

Authorizations

bearerAuth

Parameters

Query Parameters

filter

Array<string>

Repeated for AND. Each value is col=val[,val2,...] for IN-match, col!=val[,val2,...] for NOT-IN, or col!= for “column populated”. See the Audit events doc for the column whitelist.

from

string format: date-time

Lower time bound, RFC3339.

string format: date-time

Upper time bound, RFC3339.

order

string

default: desc

Allowed values: asc desc

Sort order on (timestamp, id).

limit

integer

default: 100 <= 10000

Page size. Capped at 10000.

cursor

string

Opaque resume pointer returned by a previous page’s cursor field. Don’t construct or parse — pass it back verbatim. A malformed cursor returns 400 invalid_cursor.

Responses

200

One page of events, ordered by (timestamp, id).

application/json

object

events

required

Array<object>

object

required

string

org_id

required

string

user_id

required

Real WorkOS user id for session-authenticated requests and proxy-emitted events; "system" for API-key-authenticated and WorkOS-webhook-driven events.

string

timestamp

required

string format: date-time

event_type

required

Closed-enum — see Audit events for the catalog

string

category

required

string

Allowed values: audit activity

actor

required

string

Allowed values: control-plane policy-engine agent

workspace_id

string

task_id

string

agent_role

Role name; populated only on workspace-scoped events.

string

agent_provider

Provider name; populated only on workspace-scoped events.

string

destination

string

method

string

path

string

decision

string

Allowed values: allow deny

reason

string

latency_ms

integer

transforms_applied

integer

validations_applied

integer

capability_name

string

phase

string

Allowed values: request_headers request_body response_headers response_body dns

policy_type

string

Allowed values: http dns

detail

object

key

additional properties

any

debits

object

key

additional properties

integer

budget_state

Per-counter snapshot at commit point (proxy allows).

object

key

additional properties

any

floored

Per-counter “ceiling applied” reasons (proxy allows).

object

key

additional properties

string

transforms_failed

Per-transform failure reasons.

object

key

additional properties

string

auth_used

Credential names whose mint succeeded on the request.

Array<string>

auth_failures

Per-credential mint failure reasons.

object

key

additional properties

string

cursor

Opaque resume pointer for the next page. Present only when the page filled the requested limit; absent means no more pages.

string

Example

{
  "events": [
    {
      "category": "audit",
      "actor": "control-plane",
      "decision": "allow",
      "phase": "request_headers",
      "policy_type": "http"
    }
  ]
}

400

Malformed cursor.

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

401

Missing or invalid credential

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

403

Caller lacks the required scope, or cross-org access attempted

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}