Query identity audit-log events

Identity surface — returns rows where an end-user identity is the actor OR the resource. Admin-on-identity rows appear here so customers can answer 'everything that ever happened to identity X' from a single endpoint. Same database row may also be returned by the admin surface.

GET

/portal/v1/accounts/{accountSlug}/audit-log/identities

Authentication

Bearer Token Authorization
JWT access token

Query Parameters

Name	Required	Type	Description
`from`	Optional	`string (date-time)`	Lower bound (inclusive). Defaults to `to - 30 days` when omitted.
`to`	Optional	`string (date-time)`	Upper bound (inclusive). Defaults to `now()` when omitted.
`action`	Optional	`string[]`	Filter by one or more action keys. Repeat the query param (`?action=a&action=b`) or pass a comma-separated string.
`category`	Optional	`enum: "auth" \| "identity" \| "admin_user" \| "tenancy" \| "hierarchy" \| "rbac" \| "authorization" \| "api_keys" \| "oauth" \| "webhooks" \| "invites" \| "mfa" \| "audit" \| "billing" \| "unknown"`
`severity`	Optional	`enum: "info" \| "notice" \| "warning" \| "critical"`
`outcome`	Optional	`enum: "success" \| "failure" \| "denied"`
`actor_id`	Optional	`string (uuid)`
`actor_type`	Optional	`string`	Free-form actor-type filter (e.g. `user`, `identity`).
`resource_type`	Optional	`string`	Free-form resource-type filter (e.g. `identity`, `role`, `node`).
`resource_id`	Optional	`string (uuid)`
`correlation_id`	Optional	`string (uuid)`
`application_id`	Optional	`string (uuid)`	Narrow to rows for one Application within the Account. Omit to include all Applications.
`environment_id`	Optional	`string (uuid)`	Narrow to rows for one Environment. Implies the Environment's parent Application. Omit to include all Environments.
`q`	Optional	`string`	Full-text query against actor_label, resource_label (trigram), and metadata (GIN).
`cursor`	Optional	`string`	Opaque base64url cursor returned by the previous response. Omit for the first page.
`limit`	Optional	`number`	Page size. Defaults to 50; max 200.

Code samples

cURL

JavaScript

Python

curl -X GET "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0" \
  -H "Authorization: Bearer $CANOPY_TOKEN"

const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0", {
  method: "GET",
  headers: {
    "Authorization": "Bearer $CANOPY_TOKEN"
  },
});

const data = await response.json();

import requests

response = requests.get(
    "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0",
    headers={
    "Authorization": "Bearer $CANOPY_TOKEN"
    },
)

data = response.json()

package main

import (
	"net/http"
)

func main() {
	req, _ := http.NewRequest("GET", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/audit-log/identities?from=value&to=value&action=value&category=auth&severity=info&outcome=success&actor_id=value&actor_type=value&resource_type=value&resource_id=value&correlation_id=value&application_id=value&environment_id=value&q=value&cursor=value&limit=0", nil)
	req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

200 Cursor-paginated list

{
  "items": [
    {
      "id": "string",
      "account_id": "string",
      "application_id": "string",
      "environment_id": "string",
      "actor_id": "string",
      "actor_type": "string",
      "action": "string",
      "resource_type": "string",
      "resource_id": "string",
      "metadata": {},
      "created_at": "2026-04-20T12:00:00.000Z",
      "actor_label": "string",
      "resource_label": "string",
      "correlation_id": "00000000-0000-0000-0000-000000000000",
      "outcome": "success",
      "category": "auth",
      "severity": "info",
      "customer_visible": false,
      "identity_visible": false
    }
  ],
  "pagination": {
    "next_cursor": "string"
  }
}

application/json

itemsAuditLogRowDto[]*
paginationobject*

400 Cursor is malformed (bad base64, bad JSON shape, or invalid timestamp/UUID). Drop the cursor and start a fresh query.

401 Invalid or expired token

403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)

Pagination

This endpoint returns a paginated collection. Use the query parameters below to page through results.

page: Page number (1-indexed). Defaults to 1.
take: Items per page (1–100). Defaults to 20.

Each response includes an items array alongside a pagination object with item_count, page_count, has_previous_page, and has_next_page fields.

Returned object

The AuditLogRowDto object View all properties on this resource

On this page