Audit Logs

Query the audit trail for security and compliance monitoring. Audit logs record actions such as user account changes, API key revocations, and other administrative events. These endpoints are designed for SIEM/SOAR integration.

List audit logs

GET /audit-logs

Returns a paginated, reverse-chronological list of audit log entries.

Scope: admin:audit:read · Rate limit: Standard (300 req / min)

Query parameters

Parameter	Type	Required	Description
limit	string	No	Maximum results per page (default 100, max 1000).
cursor	string	No	Pagination cursor from a previous response's nextCursor.
action	string	No	Filter by action type (e.g. user.disabled, api_key.revoked).
since	string (ISO 8601)	No	Only return events that occurred after this timestamp.

Response

{
  "data": [
    {
      "id": "019abc12-3456-7890-abcd-ef1234567890",
      "action": "user.disabled",
      "occurredAt": "2026-04-05T12:00:00.000Z",
      "actor": {
        "id": "019abc12-3456-7890-abcd-ef1234567891",
        "type": "user",
        "name": "Alice Johnson"
      },
      "targets": [
        {
          "id": "019abc12-3456-7890-abcd-ef1234567892",
          "type": "user",
          "name": "Bob Smith"
        }
      ],
      "context": {
        "location": "api",
        "userAgent": "curl/8.5.0"
      },
      "metadata": {
        "reason": "Compromised credentials",
        "revokedApiKeys": 2
      }
    }
  ],
  "nextCursor": "019abc12-3456-7890-abcd-ef1234567899",
  "totalCount": 156
}

Entry fields

Field	Type	Description
id	string (uuid)	Audit log entry ID.
action	string	Action type (e.g. user.disabled, user.enabled, api_key.revoked).
occurredAt	string (ISO 8601)	When the event occurred.
actor	object	Who performed the action — contains id, type, and optionally name and metadata.
targets	array	Resources affected — each contains id, type, and optionally name and metadata.
context	object	Request context — location (e.g. "api", "web") and optionally userAgent.
metadata	object or absent	Additional event-specific data.

Example

Fetch audit events from the last 24 hours, filtered to user-related actions:

curl "https://<your-domain>.nomic.ai/api/v0/audit-logs?since=2026-04-04T12:00:00Z&action=user.disabled&limit=50" \
  -H "Authorization: Bearer $NOMIC_API_KEY"

SIEM integration

To continuously ingest audit logs into a SIEM, poll this endpoint on a schedule (e.g. every 60 seconds) using the since parameter set to the occurredAt value of the most recently ingested entry. Use cursor to page through large result sets within each poll.