Authdog audit logs record authentication and administrative activity for investigation, compliance, and operational monitoring. Environment logs cover identity activity; organization logs cover organization-level changes.

## Review logs in console

Open **Audit** in [Authdog console](https://console.authdog.com), then select intended project and environment. Filter by time, event category, event type, user, browser, operating system, location, external ID, or event details.

Start with narrow time range and known user or event type. Expand only after confirming relevant timestamp and environment.

Environment records can include event type and category, timestamp, tenant, application, environment, organization, provider, external ID, remote IP, user agent, user summary, location, and JSON event payload. Fields are nullable because context varies by event source.

Organization records can include actor, authentication method, resource type and ID, previous and new values, remote IP, user agent, and environment context.

## Query environment logs with REST API

Public REST endpoints use `https://api.authdog.com/v1` and Bearer authentication. Keep API token server-side.

```bash
curl --get \
  "https://api.authdog.com/v1/tenants/$TENANT_ID/environments/$ENVIRONMENT_ID/audit/logs" \
  -H "Authorization: Bearer $AUTHDOG_API_TOKEN" \
  --data-urlencode "startDateTime=2026-07-01T00:00:00Z" \
  --data-urlencode "endDateTime=2026-07-02T00:00:00Z" \
  --data-urlencode "eventTypes=SIGNIN_SUCCESS,MFA_SIGNIN_FAILURE" \
  --data-urlencode "limit=100"
```

Response contains `logs`, `total`, and optional `meta`. Pagination uses numeric `offset` and `limit`; maximum limit is 500. Supported filters include:

- `startDateTime`, `endDateTime`, `from`, `to`, or `relativeTime`
- `eventType` or comma-separated `eventTypes`
- `eventCategory` or comma-separated `categories`
- `searchQuery`, `eventDetailsSearch`, or `externalIdSearch`
- comma-separated `userIds`, `browsers`, `operatingSystems`, or `locations`

Treat event names as catalog values rather than guessing strings.

## Discover event types

Use metadata endpoints to build filters dynamically:

```bash
curl \
  "https://api.authdog.com/v1/tenants/$TENANT_ID/environments/$ENVIRONMENT_ID/audit/event-types/catalog" \
  -H "Authorization: Bearer $AUTHDOG_API_TOKEN"
```

Available routes:

- `GET /v1/tenants/{tenantId}/environments/{environmentId}/audit/event-metadata` — observed categories, counts, types, and sample payloads for selected time range.
- `GET /v1/tenants/{tenantId}/environments/{environmentId}/audit/event-types` — grouped event types, including catalog-backed zero-count entries where available.
- `GET /v1/tenants/{tenantId}/environments/{environmentId}/audit/event-types/catalog` — centralized type/category catalog.

Do not hard-code exhaustive event list. New catalog entries may appear without breaking API.

## Query organization logs

```bash
curl --get \
  "https://api.authdog.com/v1/organizations/$ORGANIZATION_ID/audit/logs" \
  -H "Authorization: Bearer $AUTHDOG_API_TOKEN" \
  --data-urlencode "categories=organization_management,tenant_management" \
  --data-urlencode "limit=100"
```

Organization log endpoint supports time, event type/category, search, and resource type filters. Maximum limit is 500.

## Investigate an incident

1. Record tenant, environment, user, and UTC time range.
2. Find initial event and note event ID, actor, remote IP, provider, and user agent.
3. Correlate neighboring authentication, MFA, user-management, and secret-management events.
4. Preserve raw JSON before taking remediation action.
5. Revoke sessions or credentials as needed.
6. Confirm remediation produced expected follow-up events.

Event payload is source-specific. Parse defensively, preserve unknown fields, and never make authorization decisions from audit data.

## Security and retention

Audit responses may contain personal data, IP addresses, and event details. Restrict API scopes, encrypt exports, set destination retention, and avoid copying payloads into tickets without redaction.

Authdog API exposes recorded data but this page does not promise a fixed retention period or tamper-evident external archive. If regulation requires immutable long-term retention, export events to controlled SIEM or storage and document verification process.

## Related

- [Events and webhooks](/docs/events-webhooks)
- [API](/docs/api)
- [Security](/docs/security)
- [MFA](/docs/mfa)
