> ## Documentation Index
> Fetch the complete documentation index at: https://docs.myme.so/llms.txt
> Use this file to discover all available pages before exploring further.

# List audit log entries

> Returns audit-log entries in reverse-chronological order, optionally filtered by `action`, `resource_type`, `resource_id`, or a `since` / `until` time range. Cursor-paginated. Each entry carries the credential that performed the action (`key_id`), the resolved client IP (subject to `TRUSTED_PROXY_CIDRS`), and a structured `details` payload that varies by action.

The audit log records every state-changing API call plus a few admin-side reads. Item / edge reads, SSE subscribe/unsubscribe, and search queries are NOT logged — those land in request logs instead. Retention is `AUDIT_RETENTION_DAYS` (default 90; per-tenant override via `TenantConfig.audit_retention_days`); older rows are removed by a periodic cleanup job. Tenant-scoped admin keys see their own tenant's rows; tenantless bootstrap-admin keys see every row.

Non-admin credentials return `403 forbidden`. See [Audit log](/concepts/audit).



## OpenAPI

````yaml /openapi.json get /audit
openapi: 3.1.0
info:
  title: Marfa API
  version: 4.2.0
  description: Typed data layer for structured personal data
servers: []
security: []
paths:
  /audit:
    get:
      tags:
        - Admin
      summary: List audit log entries
      description: >-
        Returns audit-log entries in reverse-chronological order, optionally
        filtered by `action`, `resource_type`, `resource_id`, or a `since` /
        `until` time range. Cursor-paginated. Each entry carries the credential
        that performed the action (`key_id`), the resolved client IP (subject to
        `TRUSTED_PROXY_CIDRS`), and a structured `details` payload that varies
        by action.


        The audit log records every state-changing API call plus a few
        admin-side reads. Item / edge reads, SSE subscribe/unsubscribe, and
        search queries are NOT logged — those land in request logs instead.
        Retention is `AUDIT_RETENTION_DAYS` (default 90; per-tenant override via
        `TenantConfig.audit_retention_days`); older rows are removed by a
        periodic cleanup job. Tenant-scoped admin keys see their own tenant's
        rows; tenantless bootstrap-admin keys see every row.


        Non-admin credentials return `403 forbidden`. See [Audit
        log](/concepts/audit).
      parameters:
        - schema:
            type: string
          required: false
          name: action
          in: query
        - schema:
            type: string
          required: false
          name: resource_type
          in: query
        - schema:
            type: string
          required: false
          name: resource_id
          in: query
        - schema:
            type: string
          required: false
          name: since
          in: query
        - schema:
            type: string
          required: false
          name: until
          in: query
        - schema:
            type: integer
            minimum: 1
            maximum: 200
            default: 50
          required: false
          name: limit
          in: query
        - schema:
            type: string
          required: false
          name: cursor
          in: query
      responses:
        '200':
          description: Paginated audit log entries
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      type: object
                      properties:
                        id:
                          type: string
                        timestamp:
                          type: string
                        key_id:
                          type: string
                          nullable: true
                        tenant_id:
                          type: string
                          nullable: true
                        action:
                          type: string
                        resource_type:
                          type: string
                        resource_id:
                          type: string
                          nullable: true
                        client_ip:
                          type: string
                          nullable: true
                        details:
                          type: object
                          additionalProperties:
                            nullable: true
                      required:
                        - id
                        - timestamp
                        - key_id
                        - tenant_id
                        - action
                        - resource_type
                        - resource_id
                        - client_ip
                        - details
                  cursor:
                    type: string
                    nullable: true
                  has_more:
                    type: boolean
                required:
                  - data
                  - cursor
                  - has_more
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: object
                    properties:
                      code:
                        type: string
                        enum:
                          - unauthorized
                      message:
                        type: string
                      details:
                        type: object
                        additionalProperties:
                          nullable: true
                    required:
                      - code
                      - message
                required:
                  - error
      security:
        - bearerAuth: []
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: API Key or OAuth Token
      description: Pass an API key (marfa_k1_...) or OAuth access token (marfa_at_...)

````