Audit Log Reference

Every mutating request against ScaiGrid is recorded in the audit log. This reference describes how to query and export it.

Required permission: admin:access (for tenant audit), accounting:view_partner (for partner-wide), super admin (for platform-wide).

What's recorded#

For every POST/PUT/PATCH/DELETE request (with a few exceptions like audit queries themselves, OAI-compat inference, and health checks):

Actor identity (user ID, email, partner, tenant)
Actor type (user / service / webhook)
Action (model.create, user.update, budget.delete, etc.)
Resource type and ID
IP address and User-Agent
Status (SUCCESS / FAILURE)
Timestamp
Request ID (for correlating with application logs)

Read requests are not logged by default to avoid log explosion. Module-specific audit can be enabled for sensitive reads via module config.

GET /v1/audit-log#

Query the audit log.

Query params:

Param	Description
`start`	ISO 8601 timestamp
`end`	ISO 8601 timestamp
`action`	Filter by action string (e.g., `user.create`)
`actor_id`	Filter by actor
`resource_type`	`user`, `model`, `backend`, `budget`, etc.
`resource_id`	Specific resource
`status`	`SUCCESS` / `FAILURE`
`ip_address`	Filter by IP
`limit`	Page size (default 100, max 1000)
`cursor`	Pagination cursor

Response:

json
{
  "data": {
    "items": [
      {
        "id": "audit_...",
        "timestamp": "2026-04-22T14:30:00Z",
        "action": "budget.create",
        "actor_id": "user_alice",
        "actor_email": "alice@acme.example",
        "actor_type": "user",
        "tenant_id": "tenant_acme",
        "partner_id": "partner_internal",
        "resource_type": "budget",
        "resource_id": "budget_xyz",
        "ip_address": "198.51.100.42",
        "user_agent": "curl/8.4.0",
        "status": "SUCCESS",
        "details": {"limit": "500.00", "period": "monthly"}
      }
    ]
  },
  "pagination": {"has_more": true, "next_cursor": "..."}
}

Per default, tenant admins see only their tenant's audit events. Partner admins see all tenants under their partner. Super admins see the platform-wide log.

GET /v1/audit-log/export#

Export audit trail to CSV, JSON, or NDJSON.

Query params: same filters as /audit-log, plus format.

bash
curl "https://scaigrid.scailabs.ai/v1/audit-log/export?start=2026-04-01&end=2026-04-30&format=ndjson" \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -o april-audit.ndjson

For large exports (> 100K events), use narrower time windows. Streams the entire result.

Common action patterns#

carbon
{resource_type}.{verb}

Examples:

model.create, model.update, model.delete
user.create, user.update, user.delete, user.role_update
api_key.create, api_key.delete
budget.create, budget.update, budget.delete
webhook.create, webhook.update, webhook.delete
tenant.create, tenant.suspend, tenant.unsuspend
Module events: scaibot.bot.create, scaicore.core.deploy, etc.

Unusual patterns:

auth.login — successful user login
auth.logout — explicit logout
mcp.tool.invoke — MCP tool invocation
scailink.capability.invoke — ScaiLink tool invocation

Retention#

Default retention is 365 days. Configurable per tenant (minimum 90 days for compliance).

Expired events are permanently deleted. Export before deletion if you need longer retention.

Error codes#

Code	Meaning
`AUTHZ_PERMISSION_DENIED`	Caller lacks `admin:access` or higher
`VALIDATION_ERROR`	Invalid query parameters

Webhooks — subscribe to audit-level events
Authentication Reference — login/logout events
Users and Access — user management actions