Get audit log
GET /api/v1/audit
Returns audit-relevant events (sessions, tool uses, prompts, lifecycle) with optional filtering by project, worktree, category, and time range.
Parameters
Section titled “ Parameters ”Query Parameters
Section titled “Query Parameters ”Filter by project ID
Filter by worktree ID
Filter by category (session, agent, prompt, config, budget, system, debug)
Filter by source (agent, backend, frontend, container)
Filter by level (info, warning, error)
Filter entries after this timestamp (RFC3339)
Filter entries before this timestamp (RFC3339)
Maximum entries to return (default 10000)
Number of entries to skip
Responses
Section titled “ Responses ”OK
object
AgentType identifies the agent that produced this event (e.g. “claude-code”, “codex”).
Attrs carries structured key-value metadata.
object
Category is the audit category (session, agent, prompt, config, system). Computed at query time from the event name — not stored in the DB.
ContainerName is a snapshot of the container name at the time of the event.
Data carries the raw event payload (for agent events, preserves hook JSON).
Event is a snake_case identifier for the event type (e.g. “session_start”).
ID is the database row identifier. Unique across all entries.
Level is the severity of the entry (info, warn, error).
Message is a human-readable description.
ProjectID is the deterministic project identifier (sha256 of host path, 12 hex chars).
Source identifies the origin layer (agent, backend, frontend, container).
Timestamp is when the event occurred (ISO 8601 with milliseconds).
Worktree is the worktree ID (only for agent events).
Internal Server Error