The audit log records all significant actions performed within your tenant - resource creation and deletion, API key usage, settings changes, and more. Results are cursor-paginated and ordered newest-first.
Base path: /api/v1/audit-log
Endpoints
| Method | Path | Description |
|---|---|---|
GET | /api/v1/audit-log | Fetch recent audit events |
List Audit Events
GET /api/v1/audit-log
Auth
Authorization: Bearer msk_...Query Parameters
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
limit | integer | No | 50 | Events per page (max 100) |
after | string | No | - | Cursor from previous response’s next_cursor |
type | string | No | - | Filter by event type prefix (e.g. sandbox.) |
actor_id | string | No | - | Filter by actor user ID |
resource_type | string | No | - | Filter by resource type (e.g. sandbox) |
resource_id | string | No | - | Filter by resource ID |
Response - 200 OK
{
"data": [
{
"id": "evt_01hwxyz...",
"type": "sandbox.created",
"actor": {
"type": "api_key",
"id": "user_clinic_42"
},
"resource": {
"type": "sandbox",
"id": "sbx_abc123"
},
"ts": "2026-05-26T10:14:23Z",
"metadata": {
"image": "debian-12-sandbox-v8",
"workspace_id": "ws_01hwxyz..."
}
}
],
"next_cursor": "MjAyNi0wNS0yNlQxMDoxNDoyM1o"
}| Field | Type | Description |
|---|---|---|
data[].id | string | Unique event ID |
data[].type | string | Dot-namespaced event type |
data[].actor.type | string | "user" or "api_key" |
data[].actor.id | string | User ID or external_user_id for API key actors |
data[].resource.type | string | Resource type (e.g. sandbox, computer, webhook) |
data[].resource.id | string | Resource ID |
data[].ts | string | ISO 8601 timestamp |
data[].metadata | object | Event-specific detail fields |
next_cursor | string | Opaque cursor; omitted when no more pages |
Common Event Types
| Type | Trigger |
|---|---|
sandbox.created | Sandbox provisioned |
sandbox.destroyed | Sandbox deleted |
sandbox.exec | POST /exec called |
computer.created | Computer provisioned |
computer.stopped | Computer stopped |
computer.deleted | Computer deleted |
snapshot.created | Snapshot initiated |
api_key.created | API key minted |
api_key.deleted | API key revoked |
tenant.preview_domain.set | Preview domain configured |
webhook.created | Outgoing webhook created |
quota.upserted | Per-user quota set |
settings.updated | Tenant settings changed |
Use the type filter with a prefix to narrow events (e.g. type=sandbox. returns all sandbox events).
Pagination
Audit events are returned newest-first. To page forward:
- Issue the initial request without
after. - If
next_cursoris present, re-issue withafter={next_cursor}. - Stop when
next_cursoris absent.
Cursors are opaque base64url strings encoding a timestamp. Do not parse or construct them.
Errors
| Status | Code | Cause |
|---|---|---|
| 400 | - | Invalid cursor format |