Audit log

The audit log is a per-org, append-only feed of privileged actions. Every action that mutates membership, visibility, content, branding, themes, or domains lands as an event row on the org's audit feed.

Who can see it

Only org admins can read the audit feed for their org. Non-admin requests get 404 to avoid leaking org existence. The audit feed is per-org — there is no cross-org global view.

What's recorded

Every event row has:

action — a dotted action key (e.g. share.delete, share.visibility, org.member.add).
actor — the username of the person who triggered the action (or null for system-emitted events, which are rare).
target_type + target_id — what was acted on (share / project / org / member / etc.).
metadata — a JSON blob with action-specific context (e.g. {from: "unlisted", to: "public"} for visibility changes).
created_at — ms-epoch timestamp.

Common action keys (not exhaustive):

Surface	Actions
Shares	`share.create`, `share.update`, `share.delete`, `share.visibility`, `share.password.set`, `share.password.clear`, `share.move`, `share.rename`, `share.content_type`, `share.link_permission`, `share.restore`
Members	`org.member.add`, `org.member.remove`, `project.member.add`, `project.member.remove`, `share.member.add`, `share.member.remove`, `org.viewer.add`, `org.viewer.remove`
Invites	`org.invite.create`
Branding	`org.branding.logo.set`, `org.branding.logo.delete`, `org.branding.set`
Themes	`org.theme.set`, `org.theme.clear`, `project.theme.set`, `project.theme.clear`, `share.theme.set`, `share.theme.clear`
Domains	`domain.add`, `domain.verify`, `domain.remove`
Access	`access_request.create`, `access_request.approve`, `access_request.deny`
Suggestions	`share.suggestion.create`, `share.suggestion.approve`, `share.suggestion.reject`
Versions	`share.restore`

The exact set evolves — new actions are added when new surfaces ship. See src/services/audit.ts for the live catalog.

Reading the feed

Web

Dashboard → Settings → Activity shows the latest events with a filter dropdown for the most common action types.

API

GET /api/v1/orgs/:slug/audit — cursor-paginated, newest first.

Common queries:

# Last 50 events
curl -s 'https://anchorify.io/api/v1/orgs/alice/audit?limit=50' \
  -H "Authorization: Bearer $REPO_SHARE_TOKEN"

# Only visibility flips
curl -s 'https://anchorify.io/api/v1/orgs/alice/audit?action=share.visibility' \
  -H "Authorization: Bearer $REPO_SHARE_TOKEN"

# Only deletes
curl -s 'https://anchorify.io/api/v1/orgs/alice/audit?action=share.delete' \
  -H "Authorization: Bearer $REPO_SHARE_TOKEN"

What's not recorded

Audit is for privileged actions. Read paths and recipient interactions are deliberately out of scope:

Share views — see Analytics for the per-share view metrics.
Comments and reactions — captured as comment rows + reaction rows, not as audit events.
Token mints / sign-ins — auth events live in server logs, not in the user-visible audit feed.

Retention

Audit events are retained indefinitely. There is no purge API; if a row needs to be removed (e.g. for legal reasons), contact the operator.