--- name: audit description: Org activity feed — what's recorded, who can see it, how to filter. --- # Audit log The audit log is a per-org, append-only feed of privileged actions. Every action that mutates membership, visibility, content, branding, themes, or domains lands as an event row on the org's audit feed. ## Who can see it Only **org admins** can read the audit feed for their org. Non-admin requests get `404` to avoid leaking org existence. The audit feed is per-org — there is no cross-org global view. ## What's recorded Every event row has: - `action` — a dotted action key (e.g. `share.delete`, `share.visibility`, `org.member.add`). - `actor` — the username of the person who triggered the action (or `null` for system-emitted events, which are rare). - `target_type` + `target_id` — what was acted on (`share` / `project` / `org` / `member` / etc.). - `metadata` — a JSON blob with action-specific context (e.g. `{from: "unlisted", to: "public"}` for visibility changes). - `created_at` — ms-epoch timestamp. Common action keys (not exhaustive): | Surface | Actions | | ------- | ------- | | Shares | `share.create`, `share.update`, `share.delete`, `share.visibility`, `share.password.set`, `share.password.clear`, `share.move`, `share.rename`, `share.content_type`, `share.link_permission`, `share.restore` | | Members | `org.member.add`, `org.member.remove`, `project.member.add`, `project.member.remove`, `share.member.add`, `share.member.remove`, `org.viewer.add`, `org.viewer.remove` | | Invites | `org.invite.create` | | Branding | `org.branding.logo.set`, `org.branding.logo.delete`, `org.branding.set` | | Themes | `org.theme.set`, `org.theme.clear`, `project.theme.set`, `project.theme.clear`, `share.theme.set`, `share.theme.clear` | | Domains | `domain.add`, `domain.verify`, `domain.remove` | | Access | `access_request.create`, `access_request.approve`, `access_request.deny` | | Suggestions | `share.suggestion.create`, `share.suggestion.approve`, `share.suggestion.reject` | | Versions | `share.restore` | The exact set evolves — new actions are added when new surfaces ship. See `src/services/audit.ts` for the live catalog. ## Reading the feed ### Web `Dashboard` → `Settings` → `Activity` shows the latest events with a filter dropdown for the most common action types. ### API [`GET /api/v1/orgs/:slug/audit`](/docs/api#get-apiv1orgsslugaudit--org-activity-feed) — cursor-paginated, newest first. Common queries: ```bash # Last 50 events curl -s 'https://anchorify.io/api/v1/orgs/alice/audit?limit=50' \ -H "Authorization: Bearer $REPO_SHARE_TOKEN" # Only visibility flips curl -s 'https://anchorify.io/api/v1/orgs/alice/audit?action=share.visibility' \ -H "Authorization: Bearer $REPO_SHARE_TOKEN" # Only deletes curl -s 'https://anchorify.io/api/v1/orgs/alice/audit?action=share.delete' \ -H "Authorization: Bearer $REPO_SHARE_TOKEN" ``` ## What's not recorded Audit is for privileged actions. Read paths and recipient interactions are deliberately out of scope: - **Share views** — see [Analytics](/docs/analytics) for the per-share view metrics. - **Comments and reactions** — captured as comment rows + reaction rows, not as audit events. - **Token mints / sign-ins** — auth events live in server logs, not in the user-visible audit feed. ## Retention Audit events are retained indefinitely. There is no purge API; if a row needs to be removed (e.g. for legal reasons), contact the operator.