Get an identity audit-log row with related events

GET

/portal/v1/accounts/{accountSlug}/audit-log/identities/{id}

Authentication

Bearer Token Authorization
JWT access token

Path Parameters

Name	Required	Type	Description
`id`	Required	`string`

Code samples

cURL

JavaScript

Python

curl -X GET "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/value" \
  -H "Authorization: Bearer $CANOPY_TOKEN"

const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/value", {
  method: "GET",
  headers: {
    "Authorization": "Bearer $CANOPY_TOKEN"
  },
});

const data = await response.json();

import requests

response = requests.get(
    "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/value",
    headers={
    "Authorization": "Bearer $CANOPY_TOKEN"
    },
)

data = response.json()

package main

import (
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/value", nil)
	req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

200 Single audit-log row plus two related-event sidecars: `related_by_correlation` (every other row sharing this row's `correlation_id`, ordered chronologically, capped at 50) and `related_by_actor` (the same actor's last 10 events within a 1-hour window of this row, newest-first). Both sidecars honor `customer_visible = TRUE` AND the surface discriminator independently. Writes one `audit.row.viewed` audit row.

{
  "id": "string",
  "account_id": "string",
  "application_id": "string",
  "environment_id": "string",
  "actor_id": "string",
  "actor_type": "string",
  "action": "string",
  "resource_type": "string",
  "resource_id": "string",
  "metadata": {},
  "created_at": "2026-04-20T12:00:00.000Z",
  "actor_label": "string",
  "resource_label": "string",
  "correlation_id": "00000000-0000-0000-0000-000000000000",
  "outcome": "success",
  "category": "auth",
  "severity": "info",
  "customer_visible": false,
  "identity_visible": false,
  "related_by_correlation": [
    {
      "id": "string",
      "account_id": "string",
      "application_id": "string",
      "environment_id": "string",
      "actor_id": "string",
      "actor_type": "string",
      "action": "string",
      "resource_type": "string",
      "resource_id": "string",
      "metadata": {},
      "created_at": "2026-04-20T12:00:00.000Z",
      "actor_label": "string",
      "resource_label": "string",
      "correlation_id": "00000000-0000-0000-0000-000000000000",
      "outcome": "success",
      "category": "auth",
      "severity": "info",
      "customer_visible": false,
      "identity_visible": false
    }
  ],
  "related_by_actor": [
    {
      "id": "string",
      "account_id": "string",
      "application_id": "string",
      "environment_id": "string",
      "actor_id": "string",
      "actor_type": "string",
      "action": "string",
      "resource_type": "string",
      "resource_id": "string",
      "metadata": {},
      "created_at": "2026-04-20T12:00:00.000Z",
      "actor_label": "string",
      "resource_label": "string",
      "correlation_id": "00000000-0000-0000-0000-000000000000",
      "outcome": "success",
      "category": "auth",
      "severity": "info",
      "customer_visible": false,
      "identity_visible": false
    }
  ]
}

application/json

idstring*
account_idstring
application_idstring
environment_idstring
actor_idstring
actor_typestring*
actionstring*
resource_typestring
resource_idstring
metadataany object*
created_atstring (date-time)*
actor_labelstring
Snapshot label of the actor at write time (email for users / identities, label otherwise). NULL on rows written before the Slice 2 deploy.
resource_labelstring
Snapshot label of the affected resource at write time. NULL on rows written before the Slice 2 deploy.
correlation_idstring (uuid)
Per-request correlation ID — every row written during the same HTTP request (or background job) shares this value. Use the query API's `correlation_id` filter to reconstruct a chain.
outcomeenum: "success" | "failure" | "denied"*
`success` for normal-flow events, `failure` for errors, `denied` for authorization rejections.
categoryenum: "auth" | "identity" | "admin_user" | "tenancy" | "hierarchy" | "rbac" | "authorization" | "api_keys" | "oauth" | "webhooks" | "invites" | "mfa" | "audit" | "billing" | "unknown"
Broad classification from the action catalog (e.g. `auth`, `rbac`). NULL on legacy rows whose action key was unknown at backfill time — those carry the `unknown` value in storage.
severityenum: "info" | "notice" | "warning" | "critical"*
`info` for normal-flow events, `notice` for important state changes, `warning` for failures, `critical` for security events.
customer_visibleboolean*
Whether this row should appear in customer-facing audit views. `false` rows are internal-only (platform support).
identity_visibleboolean*
Whether this row should appear on a future end-user `My security activity` surface. Not consumed by Phase 1 reads.
related_by_correlationAuditLogRowDto[]*
related_by_actorAuditLogRowDto[]*

401 Invalid or expired token

403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)

404 Audit-log row not found. Indistinguishable from a row that exists but belongs to a different Account, a different surface, or is internal-only — disclosing the difference would leak the presence of cross-surface or platform-support rows.

Returned object

The AuditLogDetailResponseDto object View all properties on this resource

On this page