All pages
Powered by GitBook
1 of 1

Loading...

System Audit Logs

Endpoints for monitoring Veza user activity

Operation
Syntax

GET /api/preview/system/audit

GET /api/v1/system/audit/export

Audit Logs record every API call, providing a record of actions conducted within Veza. Depending on your use case, you can export a continuous list of events, or get events matching a filter in chronological order. Developers, administrators, and security teams can use these requests to:

  • Integrate Veza with an SIEM platform or other auditing tools

  • Detect potential inappropriate access or usage

  • Get insight into how users are interacting with the Veza platform

See for more details about the audit event object.

Responses will include a next_page_token. Use this page_token in the request query to get the next batch of results.

Setting a page size is required for requests. The maximum page size is currently 10,000 records.

This endpoint supports filtering by ended_at timestamp, method, user_id, and url. Results are ordered by time completed.

A timestamp filter is always required. The API allows querying events for up to 90 days in the past.

Example:

Returns a paginated list of events, intended for exporting entries into an external log management system.

To ingest events as they become available without skipping any entries, first make call with a persisted_at GE "TIMESTAMP" filter. Then, continuously call the next page. The export endpoint can return the error code ResourceExhaused. If encountered, clients should wait for a minute before retrying the request.

Example:

An event describes an API-level action, including the IP address and user agent of the caller. Requests can originate from user sessions, or from applications using API keys. The following is a sample event for a successful API key generation:

Field
Description
Field
Description
Field
Description
Field
Description
  • request and response both only contain some whitelisted fields. Due to size limitations, the entire message is not recorded.

email

User email address.

request_id

The unique identifier for the request.

request

The contents of the API request.

response

Excerpt of the API response.

started_at

RFC 3339 timestamp when the event started.

ended_at

RFC 3339 timestamp when the event ended.

curl -X GET "$VEZA_URL/api/preview/system/audit?page_token=&page_size=1&filter=ended_at+GE+%222023-08-04T22:11:25.915674671Z%22" \
-H "authorization: Bearer $VEZA_TOKEN"
curl -X GET "$VEZA_URL/api/v1/system/audit/export?filter=persisted_at+GE+%222023-08-07T22:11:25.915674671Z%22&page_size=5&next_page_token=" \
-H "authorization: Bearer $VEZA_TOKEN"
{
    "identity": {
        "user_id": "aeaa34cf-e97f-4315-b185-249018cf191c",
        "session_id": "b0ba024d-0158-4c7e-a47f-bbe8f7b98806",
        "api_key_id": "",
        "email": "cookie@cookie.ai"
    },
    "status": {
        "grpc_code": "OK",
        "http_status": 200,
        "error_reason": "OK"
    },
    "client": {
        "ip": "10.42.1.1",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36"
    },
    "endpoint": "/api_protos.v1.APIKeyService/CreateAPIKey",
    "method": "POST",
    "url": "/api/preview/keys",
    "request_id": "1a98184880f9952551c53d836598b258",
    "request": {
        "name": "KeyName1"
    },
    "response": {
        "value": {
            "id": "fde4386f-3d85-4ef2-82d0-324dacb6e9ba",
            "name": "KeyName1",
            "team_id": "613df06e-9a40-4331-947c-5c327b54b228",
            "user_id": "aeaa34cf-e97f-4315-b185-249018cf191c"
        }
    },
    "started_at": "2023-07-26T08:23:17.134994459Z",
    "ended_at": "2023-07-26T08:23:17.151080751Z"
}

user_id

Unique user identifier.

session_id

Unique session identifier.

api_key_id

Unique identifier of an API key.

grpc_code

gRPC code indicating request status.

http_status

HTTP status code of the response.

error_reason

Details about a bad request.

ip

Client IP address.

user_agent

Client user agent string.

endpoint

The API endpoint that was accessed.

method

The HTTP method used for the request.

url

The URL of the request.

Pagination

List audit events

Export audit events

Question: If a customer includes the persisted_at timestamp hard-coded in a script, and Veza only exports events for 1 month, what happens after a month?

Answer: The persisted_at parameter is ignored if you send a page_token in the API call. It won’t matter if the date is more than 90 or 30 days in the past.

Audit events

Identity

Status

Client

Event

Audit events
List audit events
Export audit events
get
Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
filterstringRequired

Filter expression (required). Must include an ended_at GE timestamp filter that is within the last 90 days. Supports filtering by ended_at, method, user_id, and url. Cannot be set when page_token is provided. Example: ended_at GE "2025-01-01T00:00:00Z"

page_sizeinteger · int32Required

Number of results per page (required). Minimum: 1, maximum: 10,000.

page_tokenstringOptional

Pagination token from a previous response. When provided, the filter parameter must not be set — the page token carries forward the original filter constraints.

order_bystringOptional
Responses
200

OK

application/json
idstringOptional
timestampstring · date-timeOptional
trace_idstringOptional
user_idstringOptional
session_idstringOptional
api_key_idstringOptional
oauth2_token_idstringOptional
endpointstringOptional
methodstringOptional
urlstringOptional
ip_addressstringOptional
user_agentstringOptional
requestobjectOptional
delegatestringOptional
actor_full_namestringOptional
token_typestringOptional
actor_typestringOptional
action_namestringOptional

action_name and resource_type are resolved by cp-api at request time from the (audit.v1.method) proto annotation on the gRPC method and carried in the Kafka message so the auditor does not need proto reflection.

resource_typestringOptional
idstringOptional
namestringOptional
typestringOptional
codeinteger · int32Optional
error_reasoninteger · enumOptional
responseobjectOptional
idstringOptional
namestringOptional
typestringOptional
event_typestringOptional

event_type is the unique, customer-facing identifier for classifying the event type and shape

eventobjectOptional

event is the protojson form of the event encoded as a Struct so the payload renders as a nested JSON object both at the DB column and across the gRPC trailer wire format. Using bytes here would force protojson to emit a base64-encoded string for what is otherwise structured data.

next_page_tokenstringOptional
default

Default error response

application/json
get/api/preview/system/audit
get
Authorizations
AuthorizationstringRequired

Veza API key for authentication. Generate keys in Administration > API Keys.

Query parameters
filterstringOptional
page_sizeinteger · int32Optional
page_tokenstringOptional
Responses
200

OK

application/json
idstringOptional
timestampstring · date-timeOptional
trace_idstringOptional
user_idstringOptional
session_idstringOptional
api_key_idstringOptional
oauth2_token_idstringOptional
endpointstringOptional
methodstringOptional
urlstringOptional
ip_addressstringOptional
user_agentstringOptional
requestobjectOptional
delegatestringOptional
actor_full_namestringOptional
token_typestringOptional
actor_typestringOptional
action_namestringOptional

action_name and resource_type are resolved by cp-api at request time from the (audit.v1.method) proto annotation on the gRPC method and carried in the Kafka message so the auditor does not need proto reflection.

resource_typestringOptional
idstringOptional
namestringOptional
typestringOptional
codeinteger · int32Optional
error_reasoninteger · enumOptional
responseobjectOptional
idstringOptional
namestringOptional
typestringOptional
event_typestringOptional

event_type is the unique, customer-facing identifier for classifying the event type and shape

eventobjectOptional

event is the protojson form of the event encoded as a Struct so the payload renders as a nested JSON object both at the DB column and across the gRPC trailer wire format. Using bytes here would force protojson to emit a base64-encoded string for what is otherwise structured data.

next_page_tokenstringOptional
default

Default error response

application/json
get/api/v1/system/audit/export
{
  "values": [
    {
      "id": "text",
      "timestamp": "2026-07-07T16:04:34.425Z",
      "intent": {
        "trace_id": "text",
        "user_id": "text",
        "session_id": "text",
        "api_key_id": "text",
        "oauth2_token_id": "text",
        "endpoint": "text",
        "method": "text",
        "url": "text",
        "client": {
          "ip_address": "text",
          "user_agent": "text"
        },
        "request": {},
        "delegate": "text",
        "actor_full_name": "text",
        "token_type": "text",
        "actor_type": "text",
        "action_name": "text",
        "resource_type": "text",
        "resources": [
          {
            "id": "text",
            "name": "text",
            "type": "text"
          }
        ]
      },
      "result": {
        "code": 1,
        "error_reason": 1,
        "response": {},
        "resources": [
          {
            "id": "text",
            "name": "text",
            "type": "text"
          }
        ],
        "context_events": [
          {
            "event_type": "text",
            "event": {}
          }
        ]
      }
    }
  ],
  "next_page_token": "text"
}
GET /api/preview/system/audit?filter=text&page_size=1 HTTP/1.1
Host: your-tenant.vezacloud.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
GET /api/v1/system/audit/export HTTP/1.1
Host: your-tenant.vezacloud.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
  "values": [
    {
      "id": "text",
      "timestamp": "2026-07-07T16:04:34.425Z",
      "intent": {
        "trace_id": "text",
        "user_id": "text",
        "session_id": "text",
        "api_key_id": "text",
        "oauth2_token_id": "text",
        "endpoint": "text",
        "method": "text",
        "url": "text",
        "client": {
          "ip_address": "text",
          "user_agent": "text"
        },
        "request": {},
        "delegate": "text",
        "actor_full_name": "text",
        "token_type": "text",
        "actor_type": "text",
        "action_name": "text",
        "resource_type": "text",
        "resources": [
          {
            "id": "text",
            "name": "text",
            "type": "text"
          }
        ]
      },
      "result": {
        "code": 1,
        "error_reason": 1,
        "response": {},
        "resources": [
          {
            "id": "text",
            "name": "text",
            "type": "text"
          }
        ],
        "context_events": [
          {
            "event_type": "text",
            "event": {}
          }
        ]
      }
    }
  ],
  "next_page_token": "text"
}