AuditEvent
/api/v1/audit-eventsA security/audit log line.
listgetlogSchema
| Field | Type | Notes |
|---|---|---|
| id* | uuid | Server-assigned ULID with type prefix (e.g. per_…). |
| tenant_id* | string | Tenant scope — auto-stamped from the caller's JWT. |
| app_id | string | App scope. Stamped ONLY when the caller's JWT was minted for a specific Application (integration API keys). Absent for human-user sessions. Filters reads when present. |
| created_at* | date-time | Server stamp. |
| updated_at* | date-time | Server stamp; updated on every patch. |
| created_by | uuid | Person id from the caller's JWT (sub). |
| updated_by | uuid | Person id from the last writer's JWT (sub). |
| source | string | Provenance tag — defaults to 'edm'. |
| source_type | enum | frontend | backend | server | system | apiWhere the write originated. Defaults to 'api'. |
| is_deleted | boolean | Soft-delete flag. Excluded from default list queries. |
| deleted_at | date-time | Stamped when soft-deleted; null otherwise. |
| deleted_by | uuid | Person id who soft-deleted; null otherwise. |
| schema_version | number | Document schema version. Bumped on incompatible writes. |
| sequence_id | number | Monotonic per-tenant sequence number. Used to detect gaps in the chain. |
| actor_type | string | Classification of the actor that performed the action. |
| actor_id | string | Identifier of the actor — a userId or service account ID. |
| impersonated_user_id | string | Set when an admin or impersonator acts on behalf of another user. |
| action | string | Dot-separated action name describing the operation performed (e.g. 'accounts.create', 'policy.activate', 'evidence.export'). |
| resource_type | string | EDM entity type of the affected resource (e.g. 'Person', 'SoftwareLicense'). |
| resource_id | string | Identifier of the affected resource. |
| outcome | string | Result of the action. |
| reason | string | Reason for a denial or error outcome. |
| before | json | Snapshot of the resource state before the mutation. Automatically populated for EDM operations. |
| after | json | Snapshot of the resource state after the mutation. Automatically populated for EDM operations. |
| changes | json | Computed diff of changed fields between before and after snapshots. |
| ip | string | Source IP address of the originating request. |
| user_agent | string | User-Agent string of the originating HTTP client. |
| request_id | string | Correlation ID for distributed tracing across services. |
| policy_decision_ids | json | Identifiers of Rego policy decisions that gated this action. |
| previous_hash | string | SHA-256 hash of the previous AuditEvent in the tenant chain. Read-only; populated by the platform. |
| record_hash | string | HMAC-SHA-256 of this record using the CORESDK_AUDIT_HMAC_KEY. Read-only; populated by the platform. |
| worm_ref | string | MinIO Object Lock URL once this event has been flushed to the WORM archive. Read-only; null until archived. |
| ts | date-time | ISO 8601 UTC timestamp of when the event occurred. |
API
Loading manifest…