Audit Event API

The audit event API provides tenant-scoped search and pagination over audit log entries. Use it to build security dashboards, feed compliance workflows, and investigate specific user or model activity.

This guide covers the search API (GET /api/admin/audit-logs/). For streaming bulk export with HMAC verification, see the Audit log export guide.

Endpoint

GET /api/admin/audit-logs/
Authorization: Bearer arb_live_your-api-key-here

Requires Org Admin role. All results are scoped to the authenticated admin’s tenant — cross-tenant access is not possible through this endpoint.

Filter parameters

All parameters are optional and may be combined. Multiple filters are ANDed.

Parameter	Type	Description
`limit`	integer	Maximum results to return. Range 1–500. Default `50`.
`offset`	integer	Number of results to skip for pagination. Default `0`.
`action`	string	Filter by action type (exact match). See action types below.
`user_id`	string	Filter by user UUID (exact match).
`model_id`	string	Filter by model identifier (exact match, e.g. `claude-sonnet-4-6`).
`provider`	string	Filter by provider name (exact match, e.g. `anthropic`).
`created_after`	ISO 8601 datetime	Filter entries with `created_at ≥` this value (inclusive).
`created_before`	ISO 8601 datetime	Filter entries with `created_at ≤` this value (inclusive).
`search`	string	Case-insensitive substring match on `prompt_text` AND `response_text`.

Results are ordered by created_at descending (newest first).

Action types

Common action values in the action field:

Action	Description
`prompt_sent`	A prompt was submitted to the gateway
`response_received`	A response was received from the upstream provider
`dlp_block`	A request was blocked by DLP
`dlp_redact`	A request was redacted by DLP
`login`	User login event
`logout`	User logout event
`api_key_created`	API key created
`api_key_revoked`	API key revoked
`siem_test_event`	Synthetic test event sent to a SIEM connector

Response schema

{
  "items": [...],
  "total": 1842,
  "limit": 50,
  "offset": 0
}

Field	Type	Description
`items`	array	Array of audit log entry objects
`total`	integer	Total matching entries (before `limit`/`offset`)
`limit`	integer	The requested limit
`offset`	integer	The requested offset

Audit entry fields

Each object in items contains:

Field	Type	Description
`id`	string (UUID)	Audit entry identifier
`user_id`	string (UUID)	UUID of the acting user, or `null` for system events
`action`	string	Action type identifier
`model_id`	string	Model identifier, or `null`
`provider`	string	Provider name, or `null`
`prompt_text`	string	Prompt text sent, or `null`
`response_text`	string	Response text received, or `null`
`token_count_input`	integer	Input token count, or `null`
`token_count_output`	integer	Output token count, or `null`
`cost_estimate`	number	Estimated cost in USD, or `null`
`latency_ms`	integer	Provider round-trip latency in milliseconds, or `null`
`created_at`	ISO 8601 datetime	Entry creation timestamp

Enriched fields

Audit entries include additional enrichment fields populated at request time. These fields are present on the underlying audit_logs row but may not all be returned by default in the search response.

GeoIP enrichment

GeoIP fields are derived from src_ip at write time using the MaxMind GeoIP2 database. They are not included in the HMAC chain (dataset-version-dependent — enrichment can change when the GeoIP database is updated).

Field	Description
`src_ip`	Source (client) IP address (PostgreSQL `inet` type)
`dst_ip`	Destination (gateway) IP address
`src_country_code`	ISO 3166-1 alpha-2 country code
`src_country_name`	Full country name
`src_region`	State or province
`src_city`	City name
`src_isp`	Internet service provider
`src_asn`	Autonomous System Number
`src_asn_org`	AS organization name
`src_arin_org`	ARIN Bulk Whois organization name
`dst_country_code`	Country code for destination IP
`dst_asn`	Destination ASN
`dst_asn_org`	Destination AS organization name

Credential Intelligence (CredInt) fields

CredInt fields are populated when the CredInt scan is active for the org and a corpus match is detected on the input.

Field	Description
`credint_enabled`	Whether CredInt was active for this org at request time
`credint_hit`	`true` if a breach corpus match was detected
`frequency_bucket`	Hit severity tier: `critical`, `high`, `medium`, or `low`
`context_type`	L1 extractor context type for the matched token (e.g. `explicit_assignment`)
`sha1_prefix`	First 8 hex characters of SHA-1 digest of the matched token. Audit traceability only — never the full hash, never the credential cleartext.
`credint_confidence`	L3 NLI confidence score for the hit, in `[0.0, 1.0]`

A null value for CredInt fields means CredInt was not in scope for this entry (feature off, non-DLP action, or the row predates CredInt).

HMAC chain fields

The audit log implements an HMAC-SHA256 chain for tamper detection. The chain fields — hmac, previous_hmac, and hmac_key_id — are excluded from the search API response. They are not returned by GET /api/admin/audit-logs/ because they are security-sensitive integrity data, not operational data.

To verify the HMAC chain, use the dedicated audit integrity verification workflow.

The src_ip and dst_ip fields are included in the HMAC chain (they are observed facts). The GeoIP enrichment columns are not chained because they are derived from a dataset that can change.

Pagination

The API uses offset-based pagination. Use limit and offset to page through results:

# First page
GET /api/admin/audit-logs/?limit=100&offset=0

# Second page
GET /api/admin/audit-logs/?limit=100&offset=100

The total field in the response gives the full result count for the applied filters, enabling UI pagination controls.

For time-range scans over large datasets, use created_after and created_before to narrow the window before paginating. This reduces query cost significantly compared to offset pagination over millions of rows.

Example requests

All events for a specific user in the last 24 hours

GET /api/admin/audit-logs/?user_id=1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d&created_after=2026-03-10T00:00:00Z&created_before=2026-03-11T00:00:00Z
Authorization: Bearer arb_live_your-api-key-here

All DLP block events

GET /api/admin/audit-logs/?action=dlp_block&limit=500
Authorization: Bearer arb_live_your-api-key-here

Search for events containing a specific term

GET /api/admin/audit-logs/?search=internal+credentials&limit=50
Authorization: Bearer arb_live_your-api-key-here

The search parameter performs case-insensitive substring matching on both prompt_text and response_text. Results include entries where either field contains the search string.

Events for a specific model

GET /api/admin/audit-logs/?model_id=claude-sonnet-4-6&provider=anthropic&limit=100
Authorization: Bearer arb_live_your-api-key-here

Outpost sync entries

Audit entries with source="outpost" were forwarded from a Hybrid Outpost deployment via the audit sync endpoint. These entries also carry an outpost_id field identifying the originating Outpost. They are included in normal search results and filtered the same way as platform-generated entries.