> ## Documentation Index
> Fetch the complete documentation index at: https://docs.karta.sh/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit log

> An immutable record of material account changes, exportable through the dashboard and API.

Karta records audit entries for material account changes: keys minted, budgets
changed, releases activated, webhook endpoints updated, model credentials
stored, and members invited or removed.

Use this page when a security reviewer or operator needs to answer "who changed
this account state, from where, and when?" For session transcripts, use
[Sessions & participants](/concepts/sessions-and-participants) instead.

## What gets recorded

Each event includes:

| Field                        | Meaning                                                                        |
| ---------------------------- | ------------------------------------------------------------------------------ |
| `created_at`                 | When the event was recorded.                                                   |
| `action`                     | The machine-readable action, such as `api_key.created` or `release.activated`. |
| `actor_email`                | The user who acted, when a user is present.                                    |
| `api_key_prefix`             | The API key prefix, when an API key acted.                                     |
| `subject_type`, `subject_id` | The affected resource.                                                         |
| `ip_address`, `user_agent`   | Request context for investigation.                                             |
| `metadata`                   | Structured action-specific context, with secrets omitted.                      |

Sensitive values such as bearer tokens, webhook secrets, and BYOK plaintext are
not recorded.

## Query and export

Owners and admins can review audit events in the dashboard. API export requires
the `audit_log:export` scope:

| Need            | Request                                 | Notes                                                                                           |
| --------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------- |
| JSON page       | `GET /api/audit_events`                 | Returns `data` plus `meta.row_estimate` and `meta.limit`; default limit is `100`, max is `500`. |
| CSV export      | `GET /api/audit_events.csv`             | Returns `text/csv` with the export rows.                                                        |
| Filter          | `event_action`, `user_id`, `from`, `to` | Dates use `YYYY-MM-DD`; invalid dates are ignored.                                              |
| Proof of export | `audit_log.exported`                    | Every JSON or CSV export writes an audit event before returning rows.                           |

```bash theme={null}
curl "https://api.karta.sh/api/audit_events.csv?event_action=api_key.created" \
  -H "Authorization: Bearer $KARTA_API_KEY"
```

Expected signal: the response content type is `text/csv`, and a later audit-log
query includes an `audit_log.exported` event with the export filters in
`metadata`.

## Troubleshooting

| Symptom                          | Likely cause                          | Fix                                                                                    |
| -------------------------------- | ------------------------------------- | -------------------------------------------------------------------------------------- |
| `403` from the API               | The API key lacks `audit_log:export`. | Create or rotate a server-side key with that scope.                                    |
| Fewer JSON rows than expected    | JSON exports are paged by `limit`.    | Use CSV for a full filtered export, or raise `limit` up to `500`.                      |
| Missing secret value in metadata | Secrets are deliberately redacted.    | Use the key prefix, endpoint id, or subject id to correlate with the changed resource. |

<Note>
  The audit log records material account changes (identity, money, deploys). It
  is **not** a transcript of agent conversations - conversation history lives
  with the agent session path.
</Note>
