Workflows: Review the audit log
The audit log is the source of truth for who did what within a tenant. This page covers the common review patterns.
Prerequisites
acaso_os:adminon the connection. Audit access is admin-gated in v1. Operators without admin do not see the Audit nav item.
Open the audit log
Open /audit. The page calls GET /v1/admin/tenants/{slug}/audit-log?limit=50 and renders a chronological table (newest first) with columns for timestamp, actor (key id + resolved user display name), action, resource, and request_id.
Filter
The filter bar uses nuqs to mirror state into the URL. Sharing the URL with another operator reconstructs the exact view.
| Filter | Effect |
|---|---|
Date range (from, to) | Constrain to a window. |
| Action prefix | user.* shows all user-related actions, role.* for roles, etc. |
| Actor user id | All actions by one operator. |
| Subject id | All actions on one resource (a user, a chat, a statement). |
pii_touched = true | Only actions that touched PII fields. |
Inspect a row
Click any row to open the right-side detail sheet. The sheet renders:
- The full action and resource.
- The actor (key id, resolved user, IP, user agent).
pii_touchedflag.- The
metadataJSON (collapsible) — typically a before/after diff for updates. - The
request_id, copyable in one click.
The request id is the cross-reference for support tickets and log search.
Common review patterns
"Who archived chat #abc?"
Filter by subject_id = abc and action prefix chat. The row shows the actor_user_id and the timestamp.
"What did Alice do yesterday?"
Filter by actor_user_id = <Alice's UUID> and the date range. The table lists every write she performed.
"Anything touched user U's PII in the last 90 days?"
Filter by subject_id = U, pii_touched = true, and a 90-day window.
"What changed about role member this quarter?"
Filter by subject_id = <member role's UUID> and action prefix role.. The detail sheet of each row shows the scope diff in the metadata.
Export
The console does not offer a built-in export in v1. For ad-hoc exports, hit GET /v1/admin/tenants/{slug}/audit-log?cursor=...&limit=200 directly from a curl or notebook against the API and stitch the pages. The request_id field correlates across the platform's logs.
Note: The audit log is append-only. Rows cannot be edited or deleted through any API surface. Retention is governed by the deployment's compliance policy.