1 of 1

System Audit Logs

Endpoints for monitoring Veza user activity

Operation

Syntax

GET /api/preview/system/audit

GET /api/preview/system/audit/export

Audit Logs record every API call, providing a record of actions conducted within Veza. Depending on your use case, you can export a continuous list of events, or get events matching a filter in chronological order. Developers, administrators, and security teams can use these requests to:

Integrate Veza with an SIEM platform or other auditing tools
Detect potential inappropriate access or usage
Get insight into how users are interacting with the Veza platform

See for more details about the audit event object.

Pagination

Responses will include a next_page_token. Use this page_token in the request query to get the next batch of results.

Setting a page size is required for requests. The maximum page size is currently 10,000 records.

List audit events

This endpoint supports filtering by ended_at timestamp, method, user_id, and url. Results are ordered by time completed.

A timestamp filter is always required. The API allows querying events for up to 90 days in the past.

Example:

Export audit events

Returns a paginated list of events, intended for exporting entries into an external log management system.

To ingest events as they become available without skipping any entries, first make call with a persisted_at GE "TIMESTAMP" filter. Then, continuously call the next page. The export endpoint can return the error code ResourceExhaused. If encountered, clients should wait for a minute before retrying the request.

Example:

Question: If a customer includes the persisted_at timestamp hard-coded in a script, and Veza only exports events for 1 month, what happens after a month?

Answer: The persisted_at parameter is ignored if you send a page_token in the API call. It won’t matter if the date is more than 90 or 30 days in the past.

Audit events

An event describes an API-level action, including the IP address and user agent of the caller. Requests can originate from user sessions, or from applications using API keys. The following is a sample event for a successful API key generation:

Identity

Field

Description

Status

Field

Description

Client

Field

Description

Event

Field

Description

request and response both only contain some whitelisted fields. Due to size limitations, the entire message is not recorded.

System Audit Logs

Endpoints for monitoring Veza user activity

Operation

Syntax

GET /api/preview/system/audit

GET /api/preview/system/audit/export

Integrate Veza with an SIEM platform or other auditing tools
Detect potential inappropriate access or usage
Get insight into how users are interacting with the Veza platform

See for more details about the audit event object.

Pagination

Responses will include a next_page_token. Use this page_token in the request query to get the next batch of results.

Setting a page size is required for requests. The maximum page size is currently 10,000 records.

List audit events

This endpoint supports filtering by ended_at timestamp, method, user_id, and url. Results are ordered by time completed.

A timestamp filter is always required. The API allows querying events for up to 90 days in the past.

Example:

Export audit events

Returns a paginated list of events, intended for exporting entries into an external log management system.

Example:

Question: If a customer includes the persisted_at timestamp hard-coded in a script, and Veza only exports events for 1 month, what happens after a month?

Answer: The persisted_at parameter is ignored if you send a page_token in the API call. It won’t matter if the date is more than 90 or 30 days in the past.

Audit events

Identity

Field

Description

Status

Field

Description

Client

Field

Description

Event

Field

Description

request and response both only contain some whitelisted fields. Due to size limitations, the entire message is not recorded.

{
    "identity": {
        "user_id": "aeaa34cf-e97f-4315-b185-249018cf191c",
        "session_id": "b0ba024d-0158-4c7e-a47f-bbe8f7b98806",
        "api_key_id": "",
        "email": "[email protected]"
    },
    "status": {
        "grpc_code": "OK",
        "http_status": 200,
        "error_reason": "OK"
    },
    "client": {
        "ip": "10.42.1.1",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
    },
    "endpoint": "/api_protos.v1.APIKeyService/CreateAPIKey",
    "method": "POST",
    "url": "/api/preview/keys",
    "request_id": "1a98184880f9952551c53d836598b258",
    "request": {
        "name": "KeyName1"
    },
    "response": {
        "value": {
            "id": "fde4386f-3d85-4ef2-82d0-324dacb6e9ba",
            "name": "KeyName1",
            "team_id": "613df06e-9a40-4331-947c-5c327b54b228",
            "user_id": "aeaa34cf-e97f-4315-b185-249018cf191c"
        }
    },
    "started_at": "2023-07-26T08:23:17.134994459Z",
    "ended_at": "2023-07-26T08:23:17.151080751Z"
}

get

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters

filterstringRequired

Filter expression (required). Must include an ended_at GE timestamp filter that is within the last 90 days. Supports filtering by ended_at, method, user_id, and url. Cannot be set when page_token is provided. Example: ended_at GE "2025-01-01T00:00:00Z"

page_sizeinteger · int32Required

Number of results per page (required). Minimum: 1, maximum: 10,000.

page_tokenstringOptional

Pagination token from a previous response. When provided, the filter parameter must not be set — the page token carries forward the original filter constraints.

Responses

200

application/json

idstringOptional

timestampstring · date-timeOptional

trace_idstringOptional

user_idstringOptional

session_idstringOptional

api_key_idstringOptional

oauth2_token_idstringOptional

endpointstringOptional

methodstringOptional

urlstringOptional

ip_addressstringOptional

user_agentstringOptional

requestobjectOptional

delegatestringOptional

codeinteger · int32Optional

error_reasoninteger · enumOptional

responseobjectOptional

next_page_tokenstringOptional

default

Default error response

application/json

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

codeinteger · int32Optional

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

messagestringOptional

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

@typestringOptional

The type of the serialized message.

Other propertiesanyOptional

get

/api/preview/system/audit

get

Authorizations

AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters

filterstringRequired

Filter expression (required). Must include a persisted_at GE timestamp filter that is within the last 90 days. Cannot be set when page_token is provided. Example: persisted_at GE "2025-01-01T00:00:00Z"

page_sizeinteger · int32Required

Number of results per page (required). Minimum: 1, maximum: 10,000.

page_tokenstringOptional

Pagination token from a previous response. When provided, the filter parameter must not be set — the page token carries forward the original filter constraints. If the API returns ResourceExhausted, wait one minute before retrying.

Responses

200

application/json

idstringOptional

timestampstring · date-timeOptional

trace_idstringOptional

user_idstringOptional

session_idstringOptional

api_key_idstringOptional

oauth2_token_idstringOptional

endpointstringOptional

methodstringOptional

urlstringOptional

ip_addressstringOptional

user_agentstringOptional

requestobjectOptional

delegatestringOptional

codeinteger · int32Optional

error_reasoninteger · enumOptional

responseobjectOptional

next_page_tokenstringOptional

default

Default error response

application/json

codeinteger · int32Optional

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

messagestringOptional

@typestringOptional

The type of the serialized message.

Other propertiesanyOptional

get

/api/preview/system/audit/export

System Audit Logs

hashtagPagination

hashtagList audit events

hashtagExport audit events

hashtagAudit events

hashtagIdentity

hashtagStatus

hashtagClient

hashtagEvent

System Audit Logs

hashtagPagination

hashtagList audit events

hashtagExport audit events

hashtagAudit events

hashtagIdentity

hashtagStatus

hashtagClient

hashtagEvent

Pagination

List audit events

Export audit events

Audit events

Identity

Status

Client

Event

Pagination

List audit events

Export audit events

Audit events

Identity

Status

Client

Event