Audit Log
Append-only audit events with scoped queries, 30-day retention, and JSON export.
The audit log records security-relevant actions across accounts and workspaces — who did what, when, and on which resource.
What's captured
| Category | Examples |
|---|---|
| Membership | Member added, role changed, revoked |
| Workspace | Created, frozen, exported |
| Secrets | Reveal (value never stored in audit row) |
| Data | Vault DDL, bulk operations |
| Billing | Quota threshold, export completed |
Events are append-only. Retention defaults to 30 days per account tier.
Customer Portal
Account admins browse the audit feed from Activity Log:
- Choose scope — account or workspace
- Filter by time and action type
- Export JSON for compliance archives
API
Scoped query:
GET /v1/scopes/{scope_type}/{scope_id}/audit?limit=50
Authorization: Bearer <token>Export:
POST /v1/scopes/{scope_type}/{scope_id}/audit/exportRequires read on the scope. See Accounts API for account-level audit endpoints.
Storage
Audit events live in Control Plane Postgres (audit_events table) — platform metadata, not customer business data in Dataplane.
High-volume cross-tenant operator search is a future operator-portal feature and is not exposed on public customer APIs today.
Related
- Activity log guide — UI walkthrough
- Process log — runtime logs (Loki), not audit
- Event emission — Redpanda lifecycle events