> ## Documentation Index
> Fetch the complete documentation index at: https://docs.myme.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit log

> Append-only record of every write and administrative action

The server records every write — item creation, updates, transitions, deletes, edge mutations, extension writes, key lifecycle events, blob uploads, webhook management — in an append-only audit log. The log is admin-queryable and retained on a rolling window.

## Entry shape

Each entry carries:

* **`id`** — UUIDv7. Time-sortable.
* **`timestamp`** — when the action was recorded.
* **`key_id`** — the credential that performed the action. Null for system-originated events (scheduled jobs, server bootstrap).
* **`tenant_id`** — the tenant the action belongs to. Null for system-initiated audits (install pipeline, retention jobs) and for actions performed by tenantless bootstrap-admin keys.
* **`client_ip`** — the resolved peer address of the request, honouring `TRUSTED_PROXY_CIDRS`. Null when the action originates outside a request handler (system-initiated audits) or when no proxy trust is configured and the peer can't be resolved.
* **`action`** — the verb: `item.create`, `item.update`, `edge.create`, `blob.upload`, `blob.reconcile`, `key.revoke`, etc.
* **`resource_type`** — what was acted on: `item`, `edge`, `key`, `type`, `webhook`, `blob`, `extension`.
* **`resource_id`** — the resource's id. Null when the action doesn't target a single row.
* **`details`** — structured context. Shape varies by action.

Full schema lives in the [`GET /audit` reference](/api-reference/admin/list-audit-log-entries).

## Querying

Admin-only. `GET /audit` accepts filters for `action`, `resource_type`, `resource_id`, and a `since` / `until` timestamp range; results paginate via cursor:

```
GET /audit?resource_type=item&since=2026-04-01T00:00:00Z
GET /audit?action=key.revoke
GET /audit?resource_id=<item-id>
```

A non-admin credential that calls `/audit` gets `403 forbidden`. Space-scoped admin keys see only their own space's rows; tenantless bootstrap-admin keys see every row — the same admit-all-when-tenantless pattern items reads use.

## Retention

`AUDIT_RETENTION_DAYS` controls how long entries live — older rows are removed by a periodic cleanup job on the interval set by `AUDIT_CLEANUP_INTERVAL_MS`. See [Configuration](/self-hosting/configuration) for defaults.

Retention is lossy by design. The audit log is for investigating recent activity, compliance spot-checks, and reconciling unexpected state; it is not a long-term event-sourcing substrate. Deployments with legal or contractual retention needs should mirror the audit stream into external storage.

## What is and isn't logged

* **Logged**: every state-changing API call, plus administrative reads that touch credentials or tenant config.
* **Not logged**: item and edge reads, search queries, SSE subscribe/unsubscribe. Read traffic lands in structured request logs rather than the audit log — the audit log is about writes.

## Relationship to webhooks and SSE

Audit entries are independent of event delivery. Webhooks and SSE stream item lifecycle events to subscribers; the audit log records all writes, including those that produce no event (e.g. no-op updates). Don't reconcile one against the other — they answer different questions.
