Skip to main content
The audit module records all significant actions performed by users. Logs are automatically created by other modules (auth, admin, user, connect) and can be queried through this endpoint. All endpoints require authentication via Authorization: Bearer <token>.

Get audit logs

GET /api/audit
Returns the authenticated user’s audit logs, ordered by most recent first.
limit
number
Maximum number of logs to return. Defaults to 50, max 100.
offset
number
Number of logs to skip for pagination. Defaults to 0.
action
string
Filter by action type (see list below).

Response 200

{
  "logs": [
    {
      "id": "log_abc123",
      "action": "USER_LOGIN",
      "data": {
        "ipHash": "encrypted_ip_string",
        "twoFactorUsed": false
      },
      "createdAt": "2026-06-05T14:30:00.000Z"
    },
    {
      "id": "log_def456",
      "action": "SESSION_CREATE",
      "data": {
        "ipHash": "encrypted_ip_string"
      },
      "createdAt": "2026-06-05T14:30:00.000Z"
    }
  ],
  "total": 142,
  "limit": 50,
  "offset": 0
}

Audit action types

All possible actions recorded by the audit system:
ActionTriggered by
USER_LOGINSuccessful login (password or OAuth)
USER_LOGOUTSession logout
USER_REGISTERNew account creation (via OAuth)
PASSWORD_CHANGEPassword update
TWO_FACTOR_ENABLE2FA enabled
TWO_FACTOR_DISABLE2FA disabled
USER_UPDATEProfile changes (avatar, custom domain, etc.)
USER_DELETEAccount deletion
SESSION_CREATENew session started
SESSION_DELETESession manually revoked
SERVICE_ACCESS_GRANTAdmin grants service access
SERVICE_ACCESS_REVOKEAdmin revokes service access
SERVICE_TIER_CHANGEService tier changed
SUBSCRIPTION_CREATENew subscription via Polar
SUBSCRIPTION_UPDATESubscription modified
SUBSCRIPTION_CANCELSubscription canceled
SUBSCRIPTION_REVOKESubscription revoked
USER_BANUser banned
USER_DISABLEUser disabled
SERVICE_ENTITLEMENT_CONNECTService connection activated
SERVICE_ENTITLEMENT_DISCONNECTService connection deactivated