# Audit log events `GET https://api.airtable.com/v0/meta/enterpriseAccounts/{enterpriseAccountId}/auditLogEvents` Retrieve audit log events for an enterprise. By default, this will walk all the data we're currently storing and continue walking data into the future. ## Requirements - **Authentication:** [Personal access token](https://airtable.com/developers/web/api/authentication.md#types-of-token), [OAuth integration](https://airtable.com/developers/web/api/authentication.md#types-of-token) - **Scope:** [`enterprise.auditLogs:read`](https://airtable.com/developers/web/api/scopes.md#enterprise-audit-logs-read) - **User role:** Enterprise admin - **Billing plans:** Enterprise (pre-2023.08 legacy plan), Enterprise Scale ## Path parameters - `enterpriseAccountId: string` ## Query parameters - `startTime: string` — optional Earliest audit log event to retrieve (inclusive), in ISO 8601 date time format. Optional. Defaults to the beginning of the retention period, 180 days ago. - `endTime: string` — optional Latest audit log event to retrieve (exclusive), in ISO 8601 date time format. Optional. Defaults to now. - `originatingUserId: string | array` — optional Retrieve audit log events originating from the provided user ID or IDs (maximum 100). Optional. - `eventType` — [Audit log event types](https://airtable.com/developers/web/api/audit-log-event-types.md) | array<[Audit log event types](https://airtable.com/developers/web/api/audit-log-event-types.md)> — optional Retrieve audit log events falling under the provided event type or event types (maximum 100). Optional. - `modelId: string | array` — optional Retrieve audit log events taking action on, or involving, the provided model ID or IDs (maximum 100). Optional. - `pageSize: number` — optional The number of events per page. Maximum value of 1000; defaults to 10. - `sortOrder: "descending" | "ascending"` — optional Sort the events by timestamp in ascending or descending order. Defaults to descending. - `previous: string` — optional If there are older items to retrieve, a **previous** is returned. Pass the **previous** from a prior call to retrieve the next-oldest page of items. You may pass the special value `null` to indicate "use the default behavior", which operates identically to omitting the **previous** parameter entirely. - `next: string` — optional If there are newer items to retrieve, a **next** is returned. Pass the **next** from a prior call to retrieve the next-newest page of items. You may pass the special value `null` to indicate "use the default behavior", which operates identically to omitting the **next** parameter entirely. - `category: "base" | "baseCollaboration" | "groups" | "role" | "share" | "user" | "twoFactorAuthentication" | "oauth" | "personalAccessToken" | "enterprise" | "enterpriseSettings" | "enterpriseLicenses" | "managedApps" | "components" | "publishedDataSets" | "dataTable" | "workspace" | "workspaceCollaboration" | "interface" | "standaloneForms" | "interfaceCollaboration" | "view" | "ai" | "solution" | "portal" | "workflow" | "customDomain" | array<"base" | "baseCollaboration" | "groups" | "role" | "share" | "user" | "twoFactorAuthentication" | "oauth" | "personalAccessToken" | "enterprise" | "enterpriseSettings" | "enterpriseLicenses" | "managedApps" | "components" | "publishedDataSets" | "dataTable" | "workspace" | "workspaceCollaboration" | "interface" | "standaloneForms" | "interfaceCollaboration" | "view" | "ai" | "solution" | "portal" | "workflow" | "customDomain">` — optional ## Response format - `events: array` — required Events are returned newest to oldest. - `id: string` — required - `timestamp: string` — required A date timestamp in the ISO format, eg:"2018-01-01T00:00:00.000Z" - `action` — [Audit log event types](https://airtable.com/developers/web/api/audit-log-event-types.md) — required - `actor: Audit-log-actor` — required - `modelId: string` — required - `modelType: "base" | "attachment" | "extension_installation" | "interface" | "page" | "page_element" | "record" | "share" | "invite" | "two_factor_strategy" | "user" | "group" | "view" | "workspace" | "enterprise" | "table" | "oauth_access_token" | "personal_access_token" | "feature_kit_installation" | "managed_app" | "managed_app_release" | "component" | "component_release" | "data_table" | "data_table_import" | "published_dataset" | "role" | "portal" | "sync_integration_source" | "automation" | "sso_identity_provider"` — required - `payload` — [Audit log event payloads](https://airtable.com/developers/web/api/audit-log-event-types.md) — required - `payloadVersion: "1.0" | "1.1" | "1.2" | "1.3" | "1.4" | "1.5" | "1.6" | "1.7" | "1.8" | "1.9" | "1.10" | "2.0" | "2.1" | "2.2" | "2.3" | "2.4" | "2.5" | "2.6" | "2.7" | "2.8" | "2.9" | "2.10" | "3.0" | "3.1" | "3.2" | "3.3" | "3.4" | "3.5" | "3.6" | "3.7" | "3.8" | "3.9" | "3.10" | "4.0" | "4.1" | "4.2" | "4.3" | "4.4" | "4.5" | "4.6" | "4.7" | "4.8" | "4.9" | "4.10" | "5.0" | "5.1" | "5.2" | "5.3" | "5.4" | "5.5" | "5.6" | "5.7" | "5.8" | "5.9" | "5.10" | "6.0" | "6.1" | "6.2" | "6.3" | "6.4" | "6.5" | "6.6" | "6.7" | "6.8" | "6.9" | "6.10"` — required - `context: object` — required - `baseId: string` — optional Base ID, a unique identifier for a base. - `actionId: string` — required - `enterpriseAccountId: string` — required - `descendantEnterpriseAccountId: string` — optional - `interfaceId: string` — optional - `workspaceId: string` — optional - `origin: object` — required - `ipAddress: string` — required - `userAgent: string` — required - `oauthAccessTokenId: string` — optional - `personalAccessTokenId: string` — optional - `sessionId: string` — optional - `pagination: object` — required Contains pagination tokens (if existing). - `next: string | null` — required Pagination token to retrieve the next-newest page of available items. If an endTime was provided in the query, this value will be non-null if there exist any newer items to retrieve. If an endTime was not provided in the query, this value will always be present to provide a starting point from which to continue consuming future audit log events. To retrieve the next-newest page of available items, repeat the request that generated _this_ page of items, but supply this value as the **next** query parameter. - `previous: string | null` — required Pagination token used to retrieve the next-oldest page of available items. This value will be non-null in the response only if there exist any older items to retrieve. To retrieve the next-oldest page of available items, repeat the request that generated _this_ page of items, but supply this value as the **previous** query parameter. ### Example — Success response ```sh curl "https://api.airtable.com/v0/meta/enterpriseAccounts/{enterpriseAccountId}/auditLogEvents" \ -H "Authorization: Bearer YOUR_TOKEN" ``` ```json { "events": [ { "action": "createBase", "actor": { "type": "user", "user": { "email": "foo@bar.com", "id": "usrL2PNC5o3H4lBEi", "name": "Jane Doe" } }, "context": { "actionId": "actxr1mLqZz1T35FA", "baseId": "appLkNDICXNqxSDhG", "enterpriseAccountId": "entUBq2RGdihxl3vU", "interfaceId": "pbdyGA3PsOziEHPDE", "workspaceId": "wspmhESAta6clCCwF" }, "id": "01FYFFDE39BDDBC0HWK51R6GPF", "modelId": "appLkNDICXNqxSDhG", "modelType": "base", "origin": { "ipAddress": "1.2.3.4", "sessionId": "sesE3ulSADiRNhqAv", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" }, "payload": { "name": "My newly created base!" }, "payloadVersion": "1.0", "timestamp": "2022-02-01T21:25:05.663Z" } ], "pagination": { "next": "MDFHUk5OMlM4MFhTNkY0R0M2QVlZTVZNNDQ=", "previous": "MDFHUk5ITVhNMEE4UFozTlg1SlFaRlMyOFM=" } } ``` ## Error responses ### 422 **Invalid endTime (too far in the future)** — Invalid **endTime**. See error message for exact reason. ```json { "error": { "message": "Provided endTime is too far in the future", "type": "INVALID_TIME_RANGE" } } ``` **Invalid endTime (too far in the past)** — Invalid **endTime**. See error message for exact reason. ```json { "error": { "message": "Provided endTime is before oldest queryable time", "type": "INVALID_TIME_RANGE" } } ``` **Invalid filter** — Invalid **filter**. See error message for exact reason. ```json { "error": { "message": "Maximum filter count per parameter is 100", "type": "TOO_MANY_FILTERS" } } ``` **Invalid pageSize** — Invalid **pageSize**. See error message for exact reason. ```json { "error": { "message": "Maximum pageSize is 1000", "type": "INVALID_PAGE_SIZE_ARGUMENT" } } ``` **Invalid pagination token** — Invalid **pagination**. See error message for exact reason. ```json { "error": { "message": "Invalid pagination token", "type": "INVALID_PAGINATION_TOKEN" } } ``` **Invalid pagination token (multiple tokens received)** — Invalid **pagination**. See error message for exact reason. ```json { "error": { "message": "Multiple pagination tokens received", "type": "MULTIPLE_PAGINATION_TOKENS_RECEIVED" } } ``` **Invalid pagination token (out of range)** — Invalid **pagination**. See error message for exact reason. ```json { "error": { "message": "Pagination token is invalid for this query", "type": "INVALID_PAGINATION_TOKEN" } } ``` **Invalid startTime (too far in the future)** — Invalid **startTime**. See error message for exact reason. ```json { "error": { "message": "Provided startTime is in the future", "type": "INVALID_TIME_RANGE" } } ``` **Invalid startTime (too far in the past)** — Invalid **startTime**. See error message for exact reason. ```json { "error": { "message": "Provided startTime is too far in the past. Audit log events are stored for 180 days.", "type": "INVALID_TIME_RANGE" } } ``` **Invalid time** — Invalid **startTime** or **endTime**. See error message for exact reason. ```json { "error": { "message": "startTime cannot be same or after endTime", "type": "INVALID_TIME_RANGE" } } ```