Atom

Audit Log

Query the audit log for authorization decisions and identity events.

GraphQL auditLogs

Reads audit log entries that Atom writes for authorization checks, logins, logouts, lifecycle changes, and credential operations.

Successful high-volume authz.check, auth.login, and gRPC credential-authentication allow events are not written to audit_logs by default. Atom counts them in metrics and emits traces instead. Set ATOM_AUDIT_HOT_PATH_ALLOW_DB_ENABLED=true to persist those allow events too. Deny/error audit events, explicit authz.explain calls, admin mutations, lifecycle events, and credential changes remain durable DB audit.

Arguments

ParameterTypeDefaultDescription
actorEntityIdUUIDFilter by entity that performed the action
targetKindstringFilter by target object kind, such as entity, resource, tenant, credential, or role
targetIdUUIDFilter by target object ID
tenantIdUUIDFilter by tenant-scoped audit entries
eventstringFilter by event type
outcomeallow | deny | errorFilter by outcome
fromdatetime (ISO 8601)Start of time range (inclusive)
todatetime (ISO 8601)End of time range (exclusive)
limitint50Results per page (1-200)
offsetint0Pagination offset

Response

{
  "items": [
    {
      "id": "log1-...",
      "actorEntityId": "svc-...",
      "targetKind": "resource",
      "targetId": "r1-...",
      "event": "authz.check",
      "outcome": "deny",
      "details": {
        "action": "write",
        "reason": "no matching allow policy"
      },
      "createdAt": "2026-04-24T10:30:00Z"
    },
    {
      "id": "log2-...",
      "actorEntityId": "aaa-...",
      "targetKind": "entity",
      "targetId": "aaa-...",
      "event": "auth.login",
      "outcome": "allow",
      "details": {
        "identifier": "alice"
      },
      "createdAt": "2026-04-24T10:25:00Z"
    }
  ],
  "total": 142
}

Event types

EventWhen it's writtenDetails contain
authz.checkAuthorization check decision; successful allows require ATOM_AUDIT_HOT_PATH_ALLOW_DB_ENABLED=trueaction, resource_id, reason
authz.explainAuthorization explanation decisionaction, resource_id, reason
auth.loginLogin decision; successful allows require ATOM_AUDIT_HOT_PATH_ALLOW_DB_ENABLED=trueidentifier
auth.logoutSession revocation{}
entity.update / entity.enable / entity.disable / entity.delete / entity.restore / entity.purgeEntity lifecycle changeschanged fields or status where relevant
resource.update / resource.delete / resource.restore / resource.purgeResource lifecycle changeschanged fields where relevant
credential.createPassword or access-token credential createdkind, optionally credential_id
credential.revokeCredential revokedcredential_id

Use cases

QueryEndpoint
Why was channel-01 denied in the last hour?auditLogs(targetKind: "resource", targetId: "...", event: "authz.check", outcome: deny, from: "2026-04-24T09:30:00Z")
Failed login activity today, plus successful logins when hot-path allow DB audit is enabledauditLogs(event: "auth.login", from: "2026-04-24T00:00:00Z")
All audit events for AliceentityAuditLogs(entityId: "...")
All failed authorization checksauditLogs(event: "authz.check", outcome: deny, limit: 100)

Audit logs are immutable — there are no write or delete operations on this endpoint.

On this page