Live-tail identity audit-log events (SSE)
/portal/v1/accounts/{accountSlug}/audit-log/identities/streamAuthentication
- Bearer Token
AuthorizationJWT access token
Query Parameters
| Name | Required | Type | Description |
|---|---|---|---|
from | string (date-time) | Lower bound (inclusive). Defaults to `to - 30 days` when omitted. | |
to | string (date-time) | Upper bound (inclusive). Defaults to `now()` when omitted. | |
action | string[] | Filter by one or more action keys. Repeat the query param (`?action=a&action=b`) or pass a comma-separated string. | |
category | enum: "auth" | "identity" | "admin_user" | "tenancy" | "hierarchy" | "rbac" | "authorization" | "api_keys" | "oauth" | "webhooks" | "invites" | "mfa" | "audit" | "billing" | "unknown" | ||
severity | enum: "info" | "notice" | "warning" | "critical" | ||
outcome | enum: "success" | "failure" | "denied" | ||
actor_id | string (uuid) | ||
actor_type | string | Free-form actor-type filter (e.g. `user`, `identity`). | |
resource_type | string | Free-form resource-type filter (e.g. `identity`, `role`, `node`). | |
resource_id | string (uuid) | ||
correlation_id | string (uuid) | ||
application_id | string (uuid) | Narrow to rows for one Application within the Account. Omit to include all Applications. | |
environment_id | string (uuid) | Narrow to rows for one Environment. Implies the Environment's parent Application. Omit to include all Environments. | |
q | string | Full-text query against actor_label, resource_label (trigram), and metadata (GIN). | |
cursor | string | Opaque base64url cursor returned by the previous response. Omit for the first page. | |
limit | number | Page size. Defaults to 50; max 200. |
Code samples
curl -X GET "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/stream?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0" \
-H "Authorization: Bearer $CANOPY_TOKEN"const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/stream?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0", {
method: "GET",
headers: {
"Authorization": "Bearer $CANOPY_TOKEN"
},
});
const data = await response.json();import requests
response = requests.get(
"https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/stream?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0",
headers={
"Authorization": "Bearer $CANOPY_TOKEN"
},
)
data = response.json()package main
import (
"net/http"
)
func main() {
req, _ := http.NewRequest("GET", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities/stream?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0", nil)
req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
}Responses
200 Server-Sent Events stream of new audit rows as they're written. Accepts the same filter DSL as the query endpoint (date range and cursor are ignored — every event is 'now'). Each delivered row is wrapped in an `event: audit-log` frame with the serialized row as `data`. Connection closes on client disconnect, JWT expiry (within the request lifecycle), or a 30-minute hard timeout. Customer-visible rows only, scoped to this surface (admin or identities). Per-Account concurrency cap: 10 simultaneous streams across both surfaces combined. Writes one `audit.live_tail.started` row at open and one `audit.live_tail.ended` row at close.
401 Invalid or expired token
403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)
429 Account has reached the live-tail concurrency limit (10 simultaneous streams across admin + identity surfaces combined). Close an existing stream and retry.