Skip to content
Primary navigation

Suggested
API Dashboard
API Reference
Admin
Organization
Audit Logs

List audit logs

client.admin.organization.auditLogs.list(AuditLogListParams { actor_emails, actor_ids, after, 6 more } query?, RequestOptionsoptions?): ConversationCursorPage<AuditLogListResponse { id, effective_at, type, 49 more } >
GET/organization/audit_logs

List user actions and configuration changes within this organization.

ParametersExpand Collapse
query: AuditLogListParams { actor_emails, actor_ids, after, 6 more }
actor_emails?: Array<string>

Return only events performed by users with these emails.

actor_ids?: Array<string>

Return only events performed by these actors. Can be a user ID, a service account ID, or an api key tracking ID.

after?: string

A cursor for use in pagination. after is an object ID that defines your place in the list. For instance, if you make a list request and receive 100 objects, ending with obj_foo, your subsequent call can include after=obj_foo in order to fetch the next page of the list.

before?: string

A cursor for use in pagination. before is an object ID that defines your place in the list. For instance, if you make a list request and receive 100 objects, starting with obj_foo, your subsequent call can include before=obj_foo in order to fetch the previous page of the list.

effective_at?: EffectiveAt

Return only events whose effective_at (Unix seconds) is in this range.

gt?: number

Return only events whose effective_at (Unix seconds) is greater than this value.

gte?: number

Return only events whose effective_at (Unix seconds) is greater than or equal to this value.

lt?: number

Return only events whose effective_at (Unix seconds) is less than this value.

lte?: number

Return only events whose effective_at (Unix seconds) is less than or equal to this value.

event_types?: Array<"api_key.created" | "api_key.updated" | "api_key.deleted" | 48 more>

Return only events with a type in one of these values. For example, project.created. For all options, see the documentation for the audit log object.

One of the following:
"api_key.created"
"api_key.updated"
"api_key.deleted"
"certificate.created"
"certificate.updated"
"certificate.deleted"
"certificates.activated"
"certificates.deactivated"
"checkpoint.permission.created"
"checkpoint.permission.deleted"
"external_key.registered"
"external_key.removed"
"group.created"
"group.updated"
"group.deleted"
"invite.sent"
"invite.accepted"
"invite.deleted"
"ip_allowlist.created"
"ip_allowlist.updated"
"ip_allowlist.deleted"
"ip_allowlist.config.activated"
"ip_allowlist.config.deactivated"
"login.succeeded"
"login.failed"
"logout.succeeded"
"logout.failed"
"organization.updated"
"project.created"
"project.updated"
"project.archived"
"project.deleted"
"rate_limit.updated"
"rate_limit.deleted"
"resource.deleted"
"tunnel.created"
"tunnel.updated"
"tunnel.deleted"
"role.created"
"role.updated"
"role.deleted"
"role.assignment.created"
"role.assignment.deleted"
"scim.enabled"
"scim.disabled"
"service_account.created"
"service_account.updated"
"service_account.deleted"
"user.added"
"user.updated"
"user.deleted"
limit?: number

A limit on the number of objects to be returned. Limit can range between 1 and 100, and the default is 20.

project_ids?: Array<string>

Return only events for these projects.

resource_ids?: Array<string>

Return only events performed on these targets. For example, a project ID updated.

ReturnsExpand Collapse
AuditLogListResponse { id, effective_at, type, 49 more }

A log of a user action or configuration change within this organization.

id: string

The ID of this log.

effective_at: number

The Unix timestamp (in seconds) of the event.

formatunixtime
type: "api_key.created" | "api_key.updated" | "api_key.deleted" | 48 more

The event type.

One of the following:
"api_key.created"
"api_key.updated"
"api_key.deleted"
"certificate.created"
"certificate.updated"
"certificate.deleted"
"certificates.activated"
"certificates.deactivated"
"checkpoint.permission.created"
"checkpoint.permission.deleted"
"external_key.registered"
"external_key.removed"
"group.created"
"group.updated"
"group.deleted"
"invite.sent"
"invite.accepted"
"invite.deleted"
"ip_allowlist.created"
"ip_allowlist.updated"
"ip_allowlist.deleted"
"ip_allowlist.config.activated"
"ip_allowlist.config.deactivated"
"login.succeeded"
"login.failed"
"logout.succeeded"
"logout.failed"
"organization.updated"
"project.created"
"project.updated"
"project.archived"
"project.deleted"
"rate_limit.updated"
"rate_limit.deleted"
"resource.deleted"
"tunnel.created"
"tunnel.updated"
"tunnel.deleted"
"role.created"
"role.updated"
"role.deleted"
"role.assignment.created"
"role.assignment.deleted"
"scim.enabled"
"scim.disabled"
"service_account.created"
"service_account.updated"
"service_account.deleted"
"user.added"
"user.updated"
"user.deleted"
actor?: Actor | null

The actor who performed the audit logged action.

api_key?: APIKey { id, service_account, type, user }

The API Key used to perform the audit logged action.

id?: string

The tracking id of the API key.

service_account?: ServiceAccount { id }

The service account that performed the audit logged action.

id?: string

The service account id.

type?: "user" | "service_account"

The type of API key. Can be either user or service_account.

One of the following:
"user"
"service_account"
user?: User { id, email }

The user who performed the audit logged action.

id?: string

The user id.

email?: string

The user email.

session?: Session { ip_address, user }

The session in which the audit logged action was performed.

ip_address?: string

The IP address from which the action was performed.

user?: User { id, email }

The user who performed the audit logged action.

id?: string

The user id.

email?: string

The user email.

type?: "session" | "api_key"

The type of actor. Is either session or api_key.

One of the following:
"session"
"api_key"
"api_key.created"?: APIKeyCreated { id, data }

The details for events with this type.

id?: string

The tracking ID of the API key.

data?: Data { scopes }

The payload used to create the API key.

scopes?: Array<string>

A list of scopes allowed for the API key, e.g. ["api.model.request"]

"api_key.deleted"?: APIKeyDeleted { id }

The details for events with this type.

id?: string

The tracking ID of the API key.

"api_key.updated"?: APIKeyUpdated { id, changes_requested }

The details for events with this type.

id?: string

The tracking ID of the API key.

changes_requested?: ChangesRequested { scopes }

The payload used to update the API key.

scopes?: Array<string>

A list of scopes allowed for the API key, e.g. ["api.model.request"]

"certificate.created"?: CertificateCreated { id, name }

The details for events with this type.

id?: string

The certificate ID.

name?: string

The name of the certificate.

"certificate.deleted"?: CertificateDeleted { id, certificate, name }

The details for events with this type.

id?: string

The certificate ID.

certificate?: string

The certificate content in PEM format.

name?: string

The name of the certificate.

"certificate.updated"?: CertificateUpdated { id, name }

The details for events with this type.

id?: string

The certificate ID.

name?: string

The name of the certificate.

"certificates.activated"?: CertificatesActivated { certificates }

The details for events with this type.

certificates?: Array<Certificate>
id?: string

The certificate ID.

name?: string

The name of the certificate.

"certificates.deactivated"?: CertificatesDeactivated { certificates }

The details for events with this type.

certificates?: Array<Certificate>
id?: string

The certificate ID.

name?: string

The name of the certificate.

"checkpoint.permission.created"?: CheckpointPermissionCreated { id, data }

The project and fine-tuned model checkpoint that the checkpoint permission was created for.

id?: string

The ID of the checkpoint permission.

data?: Data { fine_tuned_model_checkpoint, project_id }

The payload used to create the checkpoint permission.

fine_tuned_model_checkpoint?: string

The ID of the fine-tuned model checkpoint.

project_id?: string

The ID of the project that the checkpoint permission was created for.

"checkpoint.permission.deleted"?: CheckpointPermissionDeleted { id }

The details for events with this type.

id?: string

The ID of the checkpoint permission.

"external_key.registered"?: ExternalKeyRegistered { id, data }

The details for events with this type.

id?: string

The ID of the external key configuration.

data?: unknown

The configuration for the external key.

"external_key.removed"?: ExternalKeyRemoved { id }

The details for events with this type.

id?: string

The ID of the external key configuration.

"group.created"?: GroupCreated { id, data }

The details for events with this type.

id?: string

The ID of the group.

data?: Data { group_name }

Information about the created group.

group_name?: string

The group name.

"group.deleted"?: GroupDeleted { id }

The details for events with this type.

id?: string

The ID of the group.

"group.updated"?: GroupUpdated { id, changes_requested }

The details for events with this type.

id?: string

The ID of the group.

changes_requested?: ChangesRequested { group_name }

The payload used to update the group.

group_name?: string

The updated group name.

"invite.accepted"?: InviteAccepted { id }

The details for events with this type.

id?: string

The ID of the invite.

"invite.deleted"?: InviteDeleted { id }

The details for events with this type.

id?: string

The ID of the invite.

"invite.sent"?: InviteSent { id, data }

The details for events with this type.

id?: string

The ID of the invite.

data?: Data { email, role }

The payload used to create the invite.

email?: string

The email invited to the organization.

role?: string

The role the email was invited to be. Is either owner or member.

"ip_allowlist.config.activated"?: IPAllowlistConfigActivated { configs }

The details for events with this type.

configs?: Array<Config>

The configurations that were activated.

id?: string

The ID of the IP allowlist configuration.

name?: string

The name of the IP allowlist configuration.

"ip_allowlist.config.deactivated"?: IPAllowlistConfigDeactivated { configs }

The details for events with this type.

configs?: Array<Config>

The configurations that were deactivated.

id?: string

The ID of the IP allowlist configuration.

name?: string

The name of the IP allowlist configuration.

"ip_allowlist.created"?: IPAllowlistCreated { id, allowed_ips, name }

The details for events with this type.

id?: string

The ID of the IP allowlist configuration.

allowed_ips?: Array<string>

The IP addresses or CIDR ranges included in the configuration.

name?: string

The name of the IP allowlist configuration.

"ip_allowlist.deleted"?: IPAllowlistDeleted { id, allowed_ips, name }

The details for events with this type.

id?: string

The ID of the IP allowlist configuration.

allowed_ips?: Array<string>

The IP addresses or CIDR ranges that were in the configuration.

name?: string

The name of the IP allowlist configuration.

"ip_allowlist.updated"?: IPAllowlistUpdated { id, allowed_ips }

The details for events with this type.

id?: string

The ID of the IP allowlist configuration.

allowed_ips?: Array<string>

The updated set of IP addresses or CIDR ranges in the configuration.

"login.failed"?: LoginFailed { error_code, error_message }

The details for events with this type.

error_code?: string

The error code of the failure.

error_message?: string

The error message of the failure.

"login.succeeded"?: unknown

This event has no additional fields beyond the standard audit log attributes.

"logout.failed"?: LogoutFailed { error_code, error_message }

The details for events with this type.

error_code?: string

The error code of the failure.

error_message?: string

The error message of the failure.

"logout.succeeded"?: unknown

This event has no additional fields beyond the standard audit log attributes.

"organization.updated"?: OrganizationUpdated { id, changes_requested }

The details for events with this type.

id?: string

The organization ID.

changes_requested?: ChangesRequested { api_call_logging, api_call_logging_project_ids, description, 4 more }

The payload used to update the organization settings.

api_call_logging?: string

How your organization logs data from supported API calls. One of disabled, enabled_per_call, enabled_for_all_projects, or enabled_for_selected_projects

api_call_logging_project_ids?: string

The list of project ids if api_call_logging is set to enabled_for_selected_projects

description?: string

The organization description.

name?: string

The organization name.

threads_ui_visibility?: string

Visibility of the threads page which shows messages created with the Assistants API and Playground. One of ANY_ROLE, OWNERS, or NONE.

title?: string

The organization title.

usage_dashboard_visibility?: string

Visibility of the usage dashboard which shows activity and costs for your organization. One of ANY_ROLE or OWNERS.

project?: Project { id, name }

The project that the action was scoped to. Absent for actions not scoped to projects. Note that any admin actions taken via Admin API keys are associated with the default project.

id?: string

The project ID.

name?: string

The project title.

"project.archived"?: ProjectArchived { id }

The details for events with this type.

id?: string

The project ID.

"project.created"?: ProjectCreated { id, data }

The details for events with this type.

id?: string

The project ID.

data?: Data { name, title }

The payload used to create the project.

name?: string

The project name.

title?: string

The title of the project as seen on the dashboard.

"project.deleted"?: ProjectDeleted { id }

The details for events with this type.

id?: string

The project ID.

"project.updated"?: ProjectUpdated { id, changes_requested }

The details for events with this type.

id?: string

The project ID.

changes_requested?: ChangesRequested { title }

The payload used to update the project.

title?: string

The title of the project as seen on the dashboard.

"rate_limit.deleted"?: RateLimitDeleted { id }

The details for events with this type.

id?: string

The rate limit ID

"rate_limit.updated"?: RateLimitUpdated { id, changes_requested }

The details for events with this type.

id?: string

The rate limit ID

changes_requested?: ChangesRequested { batch_1_day_max_input_tokens, max_audio_megabytes_per_1_minute, max_images_per_1_minute, 3 more }

The payload used to update the rate limits.

batch_1_day_max_input_tokens?: number

The maximum batch input tokens per day. Only relevant for certain models.

max_audio_megabytes_per_1_minute?: number

The maximum audio megabytes per minute. Only relevant for certain models.

max_images_per_1_minute?: number

The maximum images per minute. Only relevant for certain models.

max_requests_per_1_day?: number

The maximum requests per day. Only relevant for certain models.

max_requests_per_1_minute?: number

The maximum requests per minute.

max_tokens_per_1_minute?: number

The maximum tokens per minute.

"role.assignment.created"?: RoleAssignmentCreated { id, principal_id, principal_type, 2 more }

The details for events with this type.

id?: string

The identifier of the role assignment.

principal_id?: string

The principal (user or group) that received the role.

principal_type?: string

The type of principal (user or group) that received the role.

resource_id?: string

The resource the role assignment is scoped to.

resource_type?: string

The type of resource the role assignment is scoped to.

"role.assignment.deleted"?: RoleAssignmentDeleted { id, principal_id, principal_type, 2 more }

The details for events with this type.

id?: string

The identifier of the role assignment.

principal_id?: string

The principal (user or group) that had the role removed.

principal_type?: string

The type of principal (user or group) that had the role removed.

resource_id?: string

The resource the role assignment was scoped to.

resource_type?: string

The type of resource the role assignment was scoped to.

"role.created"?: RoleCreated { id, permissions, resource_id, 2 more }

The details for events with this type.

id?: string

The role ID.

permissions?: Array<string>

The permissions granted by the role.

resource_id?: string

The resource the role is scoped to.

resource_type?: string

The type of resource the role belongs to.

role_name?: string

The name of the role.

"role.deleted"?: RoleDeleted { id }

The details for events with this type.

id?: string

The role ID.

"role.updated"?: RoleUpdated { id, changes_requested }

The details for events with this type.

id?: string

The role ID.

changes_requested?: ChangesRequested { description, metadata, permissions_added, 4 more }

The payload used to update the role.

description?: string

The updated role description, when provided.

metadata?: unknown

Additional metadata stored on the role.

permissions_added?: Array<string>

The permissions added to the role.

permissions_removed?: Array<string>

The permissions removed from the role.

resource_id?: string

The resource the role is scoped to.

resource_type?: string

The type of resource the role belongs to.

role_name?: string

The updated role name, when provided.

"scim.disabled"?: ScimDisabled { id }

The details for events with this type.

id?: string

The ID of the SCIM was disabled for.

"scim.enabled"?: ScimEnabled { id }

The details for events with this type.

id?: string

The ID of the SCIM was enabled for.

"service_account.created"?: ServiceAccountCreated { id, data }

The details for events with this type.

id?: string

The service account ID.

data?: Data { role }

The payload used to create the service account.

role?: string

The role of the service account. Is either owner or member.

"service_account.deleted"?: ServiceAccountDeleted { id }

The details for events with this type.

id?: string

The service account ID.

"service_account.updated"?: ServiceAccountUpdated { id, changes_requested }

The details for events with this type.

id?: string

The service account ID.

changes_requested?: ChangesRequested { role }

The payload used to updated the service account.

role?: string

The role of the service account. Is either owner or member.

"user.added"?: UserAdded { id, data }

The details for events with this type.

id?: string

The user ID.

data?: Data { role }

The payload used to add the user to the project.

role?: string

The role of the user. Is either owner or member.

"user.deleted"?: UserDeleted { id }

The details for events with this type.

id?: string

The user ID.

"user.updated"?: UserUpdated { id, changes_requested }

The details for events with this type.

id?: string

The project ID.

changes_requested?: ChangesRequested { role }

The payload used to update the user.

role?: string

The role of the user. Is either owner or member.

List audit logs

import OpenAI from 'openai';

const client = new OpenAI({
  adminAPIKey: process.env['OPENAI_ADMIN_KEY'], // This is the default and can be omitted
});

// Automatically fetches more pages as needed.
for await (const auditLogListResponse of client.admin.organization.auditLogs.list()) {
  console.log(auditLogListResponse.id);
}
{
    "object": "list",
    "data": [
        {
            "id": "audit_log-xxx_yyyymmdd",
            "type": "project.archived",
            "effective_at": 1722461446,
            "actor": {
                "type": "api_key",
                "api_key": {
                    "type": "user",
                    "user": {
                        "id": "user-xxx",
                        "email": "user@example.com"
                    }
                }
            },
            "project.archived": {
                "id": "proj_abc"
            },
        },
        {
            "id": "audit_log-yyy__20240101",
            "type": "api_key.updated",
            "effective_at": 1720804190,
            "actor": {
                "type": "session",
                "session": {
                    "user": {
                        "id": "user-xxx",
                        "email": "user@example.com"
                    },
                    "ip_address": "127.0.0.1",
                    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
                    "ja3": "a497151ce4338a12c4418c44d375173e",
                    "ja4": "q13d0313h3_55b375c5d22e_c7319ce65786",
                    "ip_address_details": {
                      "country": "US",
                      "city": "San Francisco",
                      "region": "California",
                      "region_code": "CA",
                      "asn": "1234",
                      "latitude": "37.77490",
                      "longitude": "-122.41940"
                    }
                }
            },
            "api_key.updated": {
                "id": "key_xxxx",
                "data": {
                    "scopes": ["resource_2.operation_2"]
                }
            },
        }
    ],
    "first_id": "audit_log-xxx__20240101",
    "last_id": "audit_log_yyy__20240101",
    "has_more": true
}
Returns Examples
{
    "object": "list",
    "data": [
        {
            "id": "audit_log-xxx_yyyymmdd",
            "type": "project.archived",
            "effective_at": 1722461446,
            "actor": {
                "type": "api_key",
                "api_key": {
                    "type": "user",
                    "user": {
                        "id": "user-xxx",
                        "email": "user@example.com"
                    }
                }
            },
            "project.archived": {
                "id": "proj_abc"
            },
        },
        {
            "id": "audit_log-yyy__20240101",
            "type": "api_key.updated",
            "effective_at": 1720804190,
            "actor": {
                "type": "session",
                "session": {
                    "user": {
                        "id": "user-xxx",
                        "email": "user@example.com"
                    },
                    "ip_address": "127.0.0.1",
                    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
                    "ja3": "a497151ce4338a12c4418c44d375173e",
                    "ja4": "q13d0313h3_55b375c5d22e_c7319ce65786",
                    "ip_address_details": {
                      "country": "US",
                      "city": "San Francisco",
                      "region": "California",
                      "region_code": "CA",
                      "asn": "1234",
                      "latitude": "37.77490",
                      "longitude": "-122.41940"
                    }
                }
            },
            "api_key.updated": {
                "id": "key_xxxx",
                "data": {
                    "scopes": ["resource_2.operation_2"]
                }
            },
        }
    ],
    "first_id": "audit_log-xxx__20240101",
    "last_id": "audit_log_yyy__20240101",
    "has_more": true
}