Audit Logs: Track Every Action in Your Organization
Audit Logs
Section titled “Audit Logs”Every significant action in your Xplorr organization is recorded in the audit log. Logins, role changes, account connections, credential access — it’s all there. Audit logs help you answer “who did what, when, and from where.”
Accessing Audit Logs
Section titled “Accessing Audit Logs”Navigate to Audit in the left sidebar of your console. Audit logs are visible to users with the Admin role or higher.
What Gets Logged
Section titled “What Gets Logged”Authentication Events
Section titled “Authentication Events”| Action | Description |
|---|---|
user.login | Successful password login |
user.login_2fa | Login completed with TOTP 2FA |
user.login_webauthn | Login via passkey/WebAuthn |
user.signed_up | New account created |
user.email_verified | Email address verified |
user.password_changed | Password updated |
user.password_reset_requested | Password reset email sent |
User Management Events
Section titled “User Management Events”| Action | Description |
|---|---|
user.invite_sent | Invitation email sent to new user |
user.joined | User accepted invitation and joined org |
user.updated | Profile updated |
user.role_changed | User role changed (e.g., member → admin) |
user.deactivated | User account deactivated |
user.access_granted | Cloud account access granted to user |
user.access_revoked | Cloud account access revoked |
Security Events
Section titled “Security Events”| Action | Description |
|---|---|
user.2fa_enabled | Two-factor authentication enabled |
user.2fa_disabled | Two-factor authentication disabled |
user.webauthn_registered | Passkey/security key registered |
user.webauthn_removed | Passkey/security key removed |
session.ip_change_revoked | Session revoked due to IP address change |
SSO Events
Section titled “SSO Events”| Action | Description |
|---|---|
sso.configured | SAML SSO configured for org |
sso.disabled | SAML SSO disabled |
sso_login | User logged in via SSO |
Platform Events (Super Admin Only)
Section titled “Platform Events (Super Admin Only)”| Action | Description |
|---|---|
platform.impersonate | Admin impersonated a user |
platform.org_deleted | Organization deleted |
Log Entry Details
Section titled “Log Entry Details”Each audit log entry contains:
| Field | Description |
|---|---|
| Timestamp | When the action occurred (UTC) |
| User Email | Who performed the action |
| Action | The event type (e.g., user.login) |
| Resource Type | Category of the affected resource |
| Resource Name | Name of the affected resource (if applicable) |
| IP Address | The user’s IP address |
| Details | Additional context as JSON |
Sensitive Data
Section titled “Sensitive Data”Audit logs automatically redact sensitive values. Any field containing password, token, secret, key, credentials, authorization, or cookie is replaced with [REDACTED] in the details JSON.
Filtering
Section titled “Filtering”Use the filter controls at the top of the audit page:
| Filter | Description |
|---|---|
| Action | Select a specific event type from the dropdown (populated from your actual events) |
| User Email | Search by user email (supports partial match) |
| Date Range | Filter by start and end date |
Pagination
Section titled “Pagination”Audit logs are paginated with configurable page size (default: 50 entries per page). Navigate between pages using the controls at the bottom.
Exporting to CSV
Section titled “Exporting to CSV”Click Export CSV to download audit logs matching your current filters. The export:
- Includes up to 10,000 rows
- Respects your active filters (action type, user email, date range)
- Contains columns: Timestamp, User, Action, Resource Type, Resource Name, IP Address, Details
- Sanitizes fields to prevent CSV formula injection
# Export via APIcurl -H "Authorization: Bearer $TOKEN" \ "https://api.xplorr.io/api/v1/audit/export?action=user.login&from=2026-03-01&to=2026-03-21" \ -o audit-logs.csvData Retention
Section titled “Data Retention”Audit logs are retained for 14 days. A nightly retention job automatically purges older entries.
To preserve audit logs beyond 14 days:
- Set up a weekly CSV export (manually or via API automation)
- Store exports in your own archival system (S3, Google Cloud Storage, etc.)
API Reference
Section titled “API Reference”| Method | Path | Description |
|---|---|---|
GET | /audit | List audit logs (paginated, filterable) |
GET | /audit/actions | Get distinct action types for filter dropdown |
GET | /audit/export | Export audit logs as CSV |
Query Parameters
Section titled “Query Parameters”| Parameter | Type | Default | Description |
|---|---|---|---|
page | number | 1 | Page number |
limit | number | 50 | Entries per page |
action | string | — | Filter by action type |
user_email | string | — | Filter by email (partial match) |
from | date | — | Start date (YYYY-MM-DD) |
to | date | — | End date (YYYY-MM-DD) |
Example
Section titled “Example”# Get login events from the last weekcurl -H "Authorization: Bearer $TOKEN" \ "https://api.xplorr.io/api/v1/audit?action=user.login&from=2026-03-14&limit=100"{ "logs": [ { "id": "abc123", "action": "user.login", "resource_type": "session", "ip_address": "203.0.113.42", "details": {}, "created_at": "2026-03-20T14:23:01Z" } ], "total": 47, "page": 1, "limit": 100}