1. Docs
  2. API Reference
  3. AuditLogRowDto

The AuditLogRowDto object

Example 

{
  "id": "string",
  "account_id": "string",
  "application_id": "string",
  "environment_id": "string",
  "actor_id": "string",
  "actor_type": "string",
  "action": "string",
  "resource_type": "string",
  "resource_id": "string",
  "metadata": {},
  "created_at": "2026-04-20T12:00:00.000Z",
  "actor_label": "string",
  "resource_label": "string",
  "correlation_id": "00000000-0000-0000-0000-000000000000",
  "outcome": "success",
  "category": "auth",
  "severity": "info",
  "customer_visible": false,
  "identity_visible": false
}

Properties

  • idstring*
  • account_idstring
  • application_idstring
  • environment_idstring
  • actor_idstring
  • actor_typestring*
  • actionstring*
  • resource_typestring
  • resource_idstring
  • metadataany object*
  • created_atstring (date-time)*
  • actor_labelstring

    Snapshot label of the actor at write time (email for users / identities, label otherwise). NULL on rows written before the Slice 2 deploy.

  • resource_labelstring

    Snapshot label of the affected resource at write time. NULL on rows written before the Slice 2 deploy.

  • correlation_idstring (uuid)

    Per-request correlation ID — every row written during the same HTTP request (or background job) shares this value. Use the query API's `correlation_id` filter to reconstruct a chain.

  • outcomeenum: "success" | "failure" | "denied"*

    `success` for normal-flow events, `failure` for errors, `denied` for authorization rejections.

  • categoryenum: "auth" | "identity" | "admin_user" | "tenancy" | "hierarchy" | "rbac" | "authorization" | "api_keys" | "oauth" | "webhooks" | "invites" | "mfa" | "audit" | "billing" | "unknown"

    Broad classification from the action catalog (e.g. `auth`, `rbac`). NULL on legacy rows whose action key was unknown at backfill time — those carry the `unknown` value in storage.

  • severityenum: "info" | "notice" | "warning" | "critical"*

    `info` for normal-flow events, `notice` for important state changes, `warning` for failures, `critical` for security events.

  • customer_visibleboolean*

    Whether this row should appear in customer-facing audit views. `false` rows are internal-only (platform support).

  • identity_visibleboolean*

    Whether this row should appear on a future end-user `My security activity` surface. Not consumed by Phase 1 reads.

Canopy