Skip to content
Cloudflare API
Start here
API Reference
Organizations
Logs
Audit

Get organization audit logs (Version 2, Beta release)

GET/organizations/{organization_id}/logs/audit

Gets a list of audit logs for an organization.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Path ParametersExpand Collapse
organization_id: string

The unique id that identifies the organization.

Query ParametersExpand Collapse
before: string

Limits the returned results to logs older than the specified date. This can be a date string 2019-04-30 (interpreted in UTC) or an absolute timestamp that conforms to RFC3339.

formatdate
since: string

Limits the returned results to logs newer than the specified date. This can be a date string 2019-04-30 (interpreted in UTC) or an absolute timestamp that conforms to RFC3339.

formatdate
id: optional object { not }
not: optional array of string

Filters out audit logs by their IDs.

action_result: optional object { not }
not: optional array of "success" or "failure"

Filters out audit logs by whether the action was successful or not.

One of the following:
"success"
"failure"
action_type: optional object { not }
not: optional array of "create" or "delete" or "view" or "update"

Filters out audit logs by the action type.

One of the following:
"create"
"delete"
"view"
"update"
actor_context: optional object { not }
not: optional array of "api_key" or "api_token" or "dash" or 2 more

Filters out audit logs by the actor context.

One of the following:
"api_key"
"api_token"
"dash"
"oauth"
"origin_ca_key"
actor_email: optional object { not }
not: optional array of string

Filters out audit logs by the actor’s email address.

actor_id: optional object { not }
not: optional array of string

Filters out audit logs by the actor’s user ID.

actor_ip_address: optional object { not }
not: optional array of string

Filters out audit logs IP address where the action was initiated.

actor_token_id: optional object { not }
not: optional array of string

Filters out audit logs by the API token ID when the actor context is an api_token or oauth.

actor_token_name: optional object { not }
not: optional array of string

Filters out audit logs by the API token name when the actor context is an api_token or oauth.

actor_type: optional object { not }
not: optional array of "cloudflare_admin" or "system" or "user"

Filters out audit logs by the actor type.

One of the following:
"cloudflare_admin"
"system"
"user"
cursor: optional string

The cursor is an opaque token used to paginate through large sets of records. It indicates the position from which to continue when requesting the next set of records. A valid cursor value can be obtained from the cursor object in the result_info structure of a previous response.

direction: optional "desc" or "asc"

Sets sorting order.

One of the following:
"desc"
"asc"
limit: optional number

The number limits the objects to return. The cursor attribute may be used to iterate over the next batch of objects if there are more than the limit.

maximum1000
minimum1
raw_cf_ray_id: optional object { not }
not: optional array of string

Filters out audit logs by the response CF Ray ID.

raw_method: optional object { not }
not: optional array of string

Filters out audit logs by the HTTP method for the API call.

raw_status_code: optional object { not }
not: optional array of number

Filters out audit logs by the response status code that was returned.

raw_uri: optional object { not }
not: optional array of string

Filters out audit logs by the request URI.

resource_id: optional object { not }
not: optional array of string

Filters out audit logs by the resource ID.

resource_product: optional object { not }
not: optional array of string

Filters out audit logs by the Cloudflare product associated with the changed resource.

resource_scope: optional object { not }
not: optional array of "organizations"

Filters out audit logs by the resource scope, specifying whether the resource is associated with an organization.

resource_type: optional object { not }
not: optional array of string

Filters out audit logs based on the unique type of resource changed by the action.

ReturnsExpand Collapse
errors: optional array of object { message }
message: string
result: optional array of object { id, action, actor, 3 more }
id: optional string

A unique identifier for the audit log entry.

maxLength32
action: optional object { description, result, time, type }

Provides information about the action performed.

description: optional string

A short description of the action performed.

result: optional string

The result of the action, indicating success or failure.

time: optional string

A timestamp indicating when the action was logged.

formatdate-time
type: optional string

A short string that describes the action that was performed.

actor: optional object { id, context, email, 4 more }

Provides details about the actor who performed the action.

id: optional string

The ID of the actor who performed the action. If a user performed the action, this will be their User ID.

context: optional "api_key" or "api_token" or "dash" or 2 more
One of the following:
"api_key"
"api_token"
"dash"
"oauth"
"origin_ca_key"
email: optional string

The email of the actor who performed the action.

formatemail
ip_address: optional string

The IP address of the request that performed the action.

token_id: optional string

The API token ID when the actor context is an api_token or oauth.

token_name: optional string

The API token name when the actor context is an api_token or oauth.

type: optional "cloudflare_admin" or "system" or "user"

The type of actor.

One of the following:
"cloudflare_admin"
"system"
"user"
organization: optional object { id }

Contains organization related information.

id: optional string

A unique identifier for the organization.

raw: optional object { cf_ray_id, method, status_code, 2 more }

Provides raw information about the request and response.

cf_ray_id: optional string

The Cloudflare Ray ID for the request.

method: optional string

The HTTP method of the request.

status_code: optional number

The HTTP response status code returned by the API.

uri: optional string

The URI of the request.

user_agent: optional string

The client’s user agent string sent with the request.

resource: optional object { id, product, request, 3 more }

Provides details about the affected resource.

id: optional string

The unique identifier for the affected resource.

product: optional string

The Cloudflare product associated with the resource.

request: optional unknown
response: optional unknown
scope: optional unknown

The scope of the resource.

type: optional string

The type of the resource.

result_info: optional object { count, cursor }

Provides information about the result of the request, including count and cursor.

count: optional string

The number of records returned in the response.

cursor: optional string

The cursor token used for pagination.

success: optional true

Indicates whether the API call was successful

Get organization audit logs (Version 2, Beta release)

curl https://api.cloudflare.com/client/v4/organizations/$ORGANIZATION_ID/logs/audit \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
{
  "errors": [
    {
      "message": "message"
    }
  ],
  "result": [
    {
      "id": "023e105f4ecef8ad9ca31a8372d0c353",
      "action": {
        "description": "Add Member",
        "result": "success",
        "time": "2024-04-26T17:31:07Z",
        "type": "create"
      },
      "actor": {
        "id": "f6b5de0326bb5182b8a4840ee01ec774",
        "context": "dash",
        "email": "alice@example.com",
        "ip_address": "198.41.129.166",
        "token_id": "token_id",
        "token_name": "token_name",
        "type": "user"
      },
      "organization": {
        "id": "019c4f65e7607d8c9f6f6b58aa3aff50"
      },
      "raw": {
        "cf_ray_id": "8e9b1c60ef9e1c9a",
        "method": "POST",
        "status_code": 200,
        "uri": "/accounts/4bb334f7c94c4a29a045f03944f072e5/members",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1.15"
      },
      "resource": {
        "id": "id",
        "product": "organizations",
        "request": {},
        "response": {},
        "scope": {},
        "type": "type"
      }
    }
  ],
  "result_info": {
    "count": "1",
    "cursor": "ASqdKd7dKgxh-aZ8bm0mZos1BtW4BdEqifCzNkEeGRzi_5SN_-362Y8sF-C1TRn60_6rd3z2dIajf9EAPyQ_NmIeAMkacmaJPXipqvP7PLU4t72wyqBeJfjmjdE="
  },
  "success": true
}
Returns Examples
{
  "errors": [
    {
      "message": "message"
    }
  ],
  "result": [
    {
      "id": "023e105f4ecef8ad9ca31a8372d0c353",
      "action": {
        "description": "Add Member",
        "result": "success",
        "time": "2024-04-26T17:31:07Z",
        "type": "create"
      },
      "actor": {
        "id": "f6b5de0326bb5182b8a4840ee01ec774",
        "context": "dash",
        "email": "alice@example.com",
        "ip_address": "198.41.129.166",
        "token_id": "token_id",
        "token_name": "token_name",
        "type": "user"
      },
      "organization": {
        "id": "019c4f65e7607d8c9f6f6b58aa3aff50"
      },
      "raw": {
        "cf_ray_id": "8e9b1c60ef9e1c9a",
        "method": "POST",
        "status_code": 200,
        "uri": "/accounts/4bb334f7c94c4a29a045f03944f072e5/members",
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1.15"
      },
      "resource": {
        "id": "id",
        "product": "organizations",
        "request": {},
        "response": {},
        "scope": {},
        "type": "type"
      }
    }
  ],
  "result_info": {
    "count": "1",
    "cursor": "ASqdKd7dKgxh-aZ8bm0mZos1BtW4BdEqifCzNkEeGRzi_5SN_-362Y8sF-C1TRn60_6rd3z2dIajf9EAPyQ_NmIeAMkacmaJPXipqvP7PLU4t72wyqBeJfjmjdE="
  },
  "success": true
}