Audit logs
Your project automatically records audit logs for all CRUD operations, authentication events, and API key calls. Logs are viewable from the /audit-log page with filtering, sorting, and an activity chart.
What gets logged
CRUD operations
Every create, update, and delete operation on any entity is automatically logged with the old and new data.
Authentication events
| Operation | Code |
|---|---|
| Sign in | SI |
| Sign in failed | SIF |
| Sign out | SO |
| Sign up | SU |
| Password reset request | PRR |
| Password reset confirm | PRC |
| Password change | PC |
| Email verify confirm | VEC |
| Email change request | ECR |
| Email change confirm | ECC |
API key calls
Every API call made with an API key is logged with:
| Operation | Code | HTTP method |
|---|---|---|
| API GET | AG | GET |
| API POST | APO | POST |
| API PUT | APU | PUT |
| API DELETE | AD | DELETE |
API key audit logs also record the endpoint path and HTTP response code.
Audit log page
The /audit-log page displays:
- Activity chart: Visual chart of activity over time (requires timezone from the browser).
- Log table: Paginated list of all audit entries with human-readable descriptions.
- View dialog: Click any log to see the full old/new data diff.
Filtering
Logs can be filtered by:
- Entity name
- Operation type
- Timestamp range
- API key
- Member
- API endpoint
- HTTP response code
Data recorded
Each audit log entry stores:
| Field | Description |
|---|---|
entityId | ID of the affected record |
entityName | Name of the entity (e.g., "Member", "User") |
operation | Operation code (see tables above) |
oldData | Previous state of the record (JSON) |
newData | New state of the record (JSON) |
userId | User who performed the action |
memberId | Member who performed the action |
organizationId | Organization context |
apiKeyId | API key used (if applicable) |
apiHttpResponseCode | HTTP response code (API key calls only) |
apiEndpoint | API endpoint path (API key calls only) |
timestamp | When the action occurred |
Data sanitization
Before storing, audit data is sanitized:
downloadUrlproperties are removed (signed URLs shouldn't be logged)Dateobjects are converted to ISO strings- Prisma
Decimalobjects are converted to strings
Permissions
Audit log viewing requires the auditLog permission resource with read action. Admins have this permission by default.
API endpoints
| Method | Path | Description |
|---|---|---|
GET | /api/audit-log | List audit logs (filtered) |
GET | /api/audit-log/activity-chart | Activity chart data |
Key files
| File | Description |
|---|---|
backend/src/features/auditLog/auditLogCreate.ts | Creates audit log entries |
backend/src/features/auditLog/auditLogOperations.ts | Operation code definitions |
backend/src/features/auditLog/auditLogApiKeyCall.ts | API key call logging |
backend/src/features/auditLog/auditLogApiRoutes.ts | API routes |
frontend/src/features/auditLog/pages/AuditLogListPage.tsx | Audit log list page |
frontend/src/features/auditLog/components/AuditLogViewDialog.tsx | Detail view dialog |