Skip to content
Cloudflare API
Start here
API Reference
User
Audit Logs

Get user audit logs

GET/user/audit_logs

Gets a list of audit logs for a user account. Can be filtered by who made the change, on which zone, and the timeframe of the change.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Account Settings WriteAccount Settings Read
Query ParametersExpand Collapse
id: optional string

Finds a specific log by its ID.

action: optional { type }
type: optional string

Filters by the action type.

actor: optional { email, ip }
email: optional string

Filters by the email address of the actor that made the change.

formatemail
ip: optional string

Filters by the IP address of the request that made the change by specific IP address or valid CIDR Range.

before: optional string or string

Limits the returned results to logs older than the specified date. A full-date that conforms to RFC3339.

One of the following:
FullDate = string

Limits the returned results to logs older than the specified date. A full-date that conforms to RFC3339.

DateTime = string

Limits the returned results to logs older than the specified date. A date-time that conforms to RFC3339.

direction: optional "desc" or "asc"

Changes the direction of the chronological sorting.

One of the following:
"desc"
"asc"
export: optional boolean

Indicates that this request is an export of logs in CSV format.

hide_user_logs: optional boolean

Indicates whether or not to hide user level audit logs.

page: optional number

Defines which page of results to return.

minimum1
per_page: optional number

Sets the number of results to return per page.

maximum1000
minimum1
since: optional string or string

Limits the returned results to logs newer than the specified date. A full-date that conforms to RFC3339.

One of the following:
FullDate = string

Limits the returned results to logs newer than the specified date. A full-date that conforms to RFC3339.

DateTime = string

Limits the returned results to logs newer than the specified date. A date-time that conforms to RFC3339.

zone: optional { name }
name: optional string

Filters by the name of the zone associated to the change.

ReturnsExpand Collapse
{ errors, messages, result, success }
errors: optional array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
messages: optional array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
result: optional array of AuditLog { id, action, actor, 7 more }
id: optional string

A string that uniquely identifies the audit log.

action: optional { result, type }
result: optional boolean

A boolean that indicates if the action attempted was successful.

type: optional string

A short string that describes the action that was performed.

actor: optional { id, email, ip, type }
id: optional string

The ID of the actor that performed the action. If a user performed the action, this will be their User ID.

email: optional string

The email of the user that performed the action.

formatemail
ip: optional string

The IP address of the request that performed the action.

type: optional "user" or "admin" or "Cloudflare"

The type of actor, whether a User, Cloudflare Admin, or an Automated System.

One of the following:
"user"
"admin"
"Cloudflare"
interface: optional string

The source of the event.

metadata: optional unknown

An object which can lend more context to the action being logged. This is a flexible value and varies between different actions.

newValue: optional string

The new value of the resource that was modified.

oldValue: optional string

The value of the resource before it was modified.

owner: optional { id }
id: optional string

Identifier

maxLength32
resource: optional { id, type }
id: optional string

An identifier for the resource that was affected by the action.

type: optional string

A short string that describes the resource that was affected by the action.

when: optional string

A UTC RFC3339 timestamp that specifies when the action being logged occured.

formatdate-time
success: optional boolean
AaaAPIResponseCommon { errors, messages, success }
errors: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
messages: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
success: true

Whether the API call was successful

Get user audit logs

curl https://api.cloudflare.com/client/v4/user/audit_logs \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "id": "d5b0f326-1232-4452-8858-1089bd7168ef",
      "action": {
        "result": true,
        "type": "change_setting"
      },
      "actor": {
        "id": "f6b5de0326bb5182b8a4840ee01ec774",
        "email": "michelle@example.com",
        "ip": "198.41.129.166",
        "type": "user"
      },
      "interface": "API",
      "metadata": {
        "name": "security_level",
        "type": "firewall",
        "value": "high",
        "zone_name": "example.com"
      },
      "newValue": "low",
      "oldValue": "high",
      "owner": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353"
      },
      "resource": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353",
        "type": "zone"
      },
      "when": "2017-04-26T17:31:07Z"
    }
  ],
  "success": true
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": [
    {
      "id": "d5b0f326-1232-4452-8858-1089bd7168ef",
      "action": {
        "result": true,
        "type": "change_setting"
      },
      "actor": {
        "id": "f6b5de0326bb5182b8a4840ee01ec774",
        "email": "michelle@example.com",
        "ip": "198.41.129.166",
        "type": "user"
      },
      "interface": "API",
      "metadata": {
        "name": "security_level",
        "type": "firewall",
        "value": "high",
        "zone_name": "example.com"
      },
      "newValue": "low",
      "oldValue": "high",
      "owner": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353"
      },
      "resource": {
        "id": "023e105f4ecef8ad9ca31a8372d0c353",
        "type": "zone"
      },
      "when": "2017-04-26T17:31:07Z"
    }
  ],
  "success": true
}