Overview
The Audit Log provides a record of security and administrative actions taken across your organization. It tracks who did what, when, and to which resource. Organization administrators can access the audit log from the Settings page under the Audit Log tab.Viewing the Audit Log
From the left sidebar, click on Settings, then select the Audit Log tab. Each entry in the log includes:- Time: When the action occurred
- Actor: The user or system that performed the action
- Action: What was done (e.g., “Created role”, “Provisioned user”)
- Category: The area the action belongs to (e.g., Auth, RBAC, SCIM)
- Resource: The resource that was affected, along with its type and ID
Filtering and Search
The audit log supports several ways to narrow down events:- Search: Free-text search across actor email, action, category, resource type, resource ID, and event details
- Category filter: Filter by category (e.g., Authentication, SCIM Provisioning, Roles & Permissions)
- Action filter: Filter by specific action. When a category is selected, only actions relevant to that category are shown
- Date range: Filter by time window (Today, Last 7 Days, Last 30 Days, Last 90 Days)
Categories and Actions
Authentication
Actions related to user login, logout, and identity provider configuration.| Action | Description |
|---|---|
| Logged in | User successfully authenticated |
| Logged out | User ended their session |
| Login failed | Authentication attempt was rejected |
| Generated magic link | A magic link login email was sent |
| Created OIDC provider | A new OIDC identity provider was configured |
| Updated OIDC provider | An existing OIDC provider’s settings were changed |
| Deleted OIDC provider | An OIDC provider was removed |
| Added OIDC provider to org | An OIDC provider was linked to the organization |
| Removed OIDC provider from org | An OIDC provider was unlinked from the organization |
Member Management
Actions related to adding or removing organization members.| Action | Description |
|---|---|
| Invited member | An invitation was sent to a new user |
| Member joined | A user accepted an invitation and joined the organization |
| Removed member | A member was removed from the organization |
Roles & Permissions
Actions related to roles, role assignments, permissions, service accounts, and API keys.| Action | Description |
|---|---|
| Created role | A new role was created |
| Updated role | A role’s configuration was changed |
| Deleted role | A role was removed |
| Assigned role | A role was assigned to a member |
| Unassigned role | A role was removed from a member |
| Granted permission | A permission was added to a role |
| Revoked permission | A permission was removed from a role |
| Created service account | A new service account was created |
| Deleted service account | A service account was removed |
| Created API key | An API key was generated |
| Revoked API key | An API key was revoked |
| Rotated API key | An API key was rotated |
Connectors
Actions related to data source connectors.| Action | Description |
|---|---|
| Created connector | A new connector was added |
| Updated connector | A connector’s configuration was changed |
| Deleted connector | A connector was removed |
Organization Settings
Actions related to organization-level configuration.| Action | Description |
|---|---|
| Updated org settings | Organization settings were modified |
| Deleted organization | The organization was deleted |
| Switched organization | A user switched to a different organization |
| Created sibling organization | A new sibling organization was created |
API Access Keys
Actions related to API access keys used for programmatic access.| Action | Description |
|---|---|
| Created API access key | A new API access key was generated |
| Updated API access key | An API access key was modified |
| Deleted API access key | An API access key was removed |
Secrets
Actions related to organization secrets.| Action | Description |
|---|---|
| Created secret | A new secret was added |
| Updated secret | A secret was modified |
| Deleted secret | A secret was removed |
SCIM Provisioning
Actions related to SCIM-based user and group provisioning. Token and OAuth client management actions are performed by organization administrators through the UI. User and group provisioning actions are performed automatically by your identity provider via the SCIM API.| Action | Description |
|---|---|
| Created SCIM token | A new SCIM bearer token was generated |
| Revoked SCIM token | A SCIM bearer token was revoked |
| Created SCIM OAuth client | A new SCIM OAuth client was created |
| Revoked SCIM OAuth client | A SCIM OAuth client was revoked |
| Provisioned user | A user was provisioned (or reactivated) via SCIM |
| Updated user | A user’s attributes were updated via SCIM |
| Deprovisioned user | A user was deactivated via SCIM |
| Created group | A group was created via SCIM |
| Updated group | A group’s membership or name was updated via SCIM |
| Deleted group | A group was removed via SCIM |