get_api_operator_v1_audit
const url = 'https://example.com/api/operator/v1/audit';const options = {method: 'GET'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://example.com/api/operator/v1/auditParameters
Section titled “Parameters”Query Parameters
Section titled “Query Parameters”Time window in hours back from now. Default 720 (30 days) — the operator console is a recent-activity view bounded for a cross-tenant scan.
security | override | change (the client-derived SCHWERE tab).
An exact actor key — actor_id, else actor_type.
Exact outcome value (the result-chip filter).
Free-text search over actor id/label/email + action + target type/id.
Whitelisted sort key: created_at | actor_key | action | target_type | outcome.
Sort direction asc | desc (default desc).
Recompute the window facets (default true).
Responses
Section titled “Responses”One page of the audit board: the rows, the filtered total (for the pager),
and — only when requested — the window facets (null otherwise; the client
keeps the ones it already holds for the unchanged window).
object
Aggregate counts + option lists the board needs that a single page can no longer derive: the Alle/Sicherheit/Overrides tab counts, the U/M/S actor chips, and the Akteur/Aktion/Ziel select options. Computed over the WHOLE time window (independent of the active severity/actor/action/target select).
object
The window-scoped outcome chip buckets ({value,count}), largest first.
Only rows that carry a decision outcome are bucketed (a NULL-outcome row
is not a privileged decision and has no result chip).
One filter-chip value and its count. Counts are workspace-wide (independent of the active filter — the chip totals do not shift as the user filters).
object
How many rows fall in this bucket.
The bucket value (e.g. a scope, a role, a framework).
object
Resolved human actor label/email for a user actor — the filtered audit-board
query (list_filtered) populates these via a LEFT JOIN on user_profiles /
auth.users; every other SELECT * decode leaves them None (the column is
absent), so #[sqlx(default)] keeps those call sites working unchanged. The UI
shows the label when present and falls back to a shortened actor_id otherwise.
How a privileged decision RESOLVED: allowed | denied | approved | rejected | scope_bound | frozen | escalated | ... (open vocabulary, set by the writer
AuditInput::with_outcome at the decision call sites). None for every
non-decision event (a plain mutation, a read) and every historical row; the
Reports Audit board renders the result chip only when this is Some. Decoded
from the audit_events.outcome column (migration 261); #[sqlx(default)]
keeps a projection that omits the column (e.g. a count-only CTE) decoding.
The redacted event payload (the audit drawer reads it as a typed map).
Runtime stays serde_json::Value; the spec types it as an open map.
object
The privileged-decision KPI block — null unless facets were requested (it
is window-scoped like the facets, so it rides the same include_facets gate;
the client keeps the values it holds for an unchanged window).
object
Danger gates the human APPROVED (outcome = approved).
Danger escalations (exfil block, profile freeze, escalated outcome).
Danger gates the human REJECTED (outcome = rejected | denied).
Member lifecycle changes (suspend / reactivate / seat assignment).
Revocations (member removal, invite/grant/token revoke).
Role + ownership changes (set role, transfer ownership).
Events whose decision was scope-bound (outcome = scope_bound).
Credential / OAuth / secret access events.
Examplegenerated
{ "facets": { "actions": [ "example" ], "actor_m2m": 1, "actor_system": 1, "actor_user": 1, "actors": [ "example" ], "all": 1, "by_outcome": [ { "count": 1, "value": "example" } ], "override": 1, "security": 1, "targets": [ "example" ] }, "items": [ { "action": "example", "actor_email": "example", "actor_id": "example", "actor_label": "example", "actor_type": "example", "correlation_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "created_at": "2026-04-15T12:00:00Z", "id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "outcome": "example", "payload_redacted": { "additionalProperty": "example" }, "project_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "reason": "example", "target_id": "example", "target_type": "example", "task_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "workspace_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0" } ], "kpis": { "danger_approved": 1, "danger_escalations": 1, "danger_rejected": 1, "member_mutations": 1, "revocations": 1, "role_changes": 1, "scope_bound": 1, "secret_accesses": 1 }, "total": 1}