Audit Log
Use the audit log to investigate organization activity and meet compliance needs.
Audit Log
The PayloadRelay audit log gives your organization a complete, queryable history of who did what, when. It is an append-only record designed for security monitoring, compliance reporting, and incident investigation.
Who can view it?
Only organization Owners and Admins can access the audit log. Regular members (USER) and read-only members (VIEWER) receive a 403 error when calling the audit API. The log is always scoped to your organization — you cannot see another organization's events.
What is logged?
Every significant action performed by a user or the system generates an audit event. The table below lists the currently emitted action values.
| Action | Description |
|---|---|
endpoint.created | A new relay endpoint was created |
endpoint.updated | An endpoint's settings were changed |
endpoint.deleted | An endpoint was permanently deleted |
endpoint.paused | An endpoint was manually paused |
endpoint.resumed | A paused endpoint was manually resumed |
endpoint.auto_paused | An endpoint was automatically paused by the failure-alert system |
output.created | An output was added to an endpoint |
output.updated | An output's settings were changed |
output.deleted | An output was removed |
output.template.updated | The message template for an output was changed |
output.routing_filters.updated | The routing filters for an output were changed |
target.created | A relay target (webhook, email, Slack, etc.) was created |
target.updated | A relay target was edited |
target.deleted | A relay target was removed |
target.smtp.verified | An SMTP relay target connection was successfully verified |
transform.created | A transform rule was added |
transform.updated | A transform rule was edited |
transform.deleted | A transform rule was removed |
alert.config.updated | The failure-alert configuration for an endpoint was changed |
alert.fired | A failure alert was triggered |
alert.test_sent | A test alert was dispatched manually |
member.invited | A user was invited to join the organization |
member.invitation_resent | A pending organization invitation was resent |
member.invitation_revoked | A pending organization invitation was revoked |
member.role_changed | An existing member's role was changed |
member.removed | A member was removed from the organization |
org.contact_email_updated | The organization's contact email was changed |
org.ownership_transfer_requested | An owner requested an organization ownership transfer |
org.ownership_transfer_confirmed | An organization ownership transfer was confirmed |
password.changed | A user changed their account password |
password.reset | A user reset their account password |
subscription.changed | The billing plan was upgraded or downgraded |
paymentmethod.updated | A payment method was added or replaced |
activity.exported | The activity log was exported as CSV |
audit.exported | The audit log itself was exported as CSV |
auth.login.success | A user successfully signed in |
auth.login.failed | A sign-in attempt failed (wrong credentials) |
auth.logout | A user signed out |
What is NOT logged?
- Read-only operations: listing endpoints, fetching activity logs, viewing settings.
- Relay payload bodies: PayloadRelay never stores incoming request bodies (see Observability).
- Advanced filter queries: filtering your own activity data is not audit-worthy.
- Full payment details: billing events capture only metadata like plan name and billing interval — never card numbers or bank details.
Event fields
Each audit event contains:
| Field | Description |
|---|---|
id | UUID of the event |
occurredAt | Timestamp (UTC) |
actorEmail | Email address of the user who triggered the action (snapshot) |
actorType | USER, SYSTEM, or API_TOKEN |
actorIp | IP address of the actor (if available) |
actorUserAgent | Browser/client user-agent (truncated to 512 chars) |
action | Action slug (see catalog above) |
targetType | Resource type affected (e.g. ENDPOINT, MEMBER, AUTH) |
targetId | UUID of the affected resource (if applicable) |
targetName | Human-readable name of the resource (snapshot at event time) |
metadata | Action-specific JSON bag (up to 8 KB) |
success | true if the action succeeded; false for failures like auth.login.failed |
errorMessage | Error detail for failed events |
Actor email is a snapshot. Even if a user is deleted later, their email remains in historical audit events.
Querying the audit log
Use the Organization → Audit Log page in the dashboard, or the audit API (GET /audit/events) for programmatic access.
Filter parameters (all optional):
| Parameter | Description |
|---|---|
actorEmailContains | Filter by actor email substring |
action | Filter by action value (dot-notation slug). Multiple values can be comma-separated. Use the API endpoint GET /audit/actions to discover available values, or see the table above for the currently emitted values. |
targetType | Filter by target resource type (ENDPOINT, OUTPUT, TARGET, MEMBER, etc.) |
targetId | Filter by specific target UUID |
from | ISO 8601 start timestamp (inclusive) |
to | ISO 8601 end timestamp (exclusive) |
success | true or false |
limit | Page size (default 50, max 200) |
offset | Pagination offset |
Filtering by action — the action parameter uses the dot-notation value (e.g., endpoint.created, target.updated), not the display name (ENDPOINT_CREATED). For example:
GET /audit/events?action=endpoint.created,target.deleted
GET /audit/events?action=member.invited,member.role_changed&success=trueExporting as CSV
Click Export CSV in the dashboard to download matching audit events. Large exports may be capped or temporarily limited; narrow your filters if the export is too large.
Retention
Audit events are retained for 1 year (365 days) and are removed automatically after the retention period.
Security and compliance
The audit log is designed to assist with:
- SOC 2 Type II — access control, monitoring, and incident response requirements.
- ISO 27001 — logging and traceability of privileged user actions.
- Security investigations — correlate suspicious IP addresses with actions via
actorIp.
Audit events cannot be modified or deleted by organization users. Older events are removed automatically after the retention period.
Related guides
- Endpoint management — learn about the endpoint lifecycle actions that generate audit events.
- Relay targets — target CRUD and SMTP verification are audited.
- Failure alerts — alert configuration changes and auto-pause events appear in the audit log.
- Observability — for request-level activity logs (not audit logs).