Audit logs
What actions are recorded, how to search and filter the audit log, and how to export it.
What audit logs record
Nimriz keeps a persistent audit log of security-relevant actions taken across your workspace and organization. Audit logs are designed for governance, compliance review, and security investigations-they answer "who did what, when, and from where."
Audit logs are immutable. Entries cannot be edited or deleted. Once an action is recorded, it stays in the log for the duration of the retention period.
Where to find audit logs
Workspace audit log
Every workspace Admin can access the workspace audit log at: Settings → Audit
This view shows actions scoped to your current workspace. It covers link management, team changes, domain events, API key operations, webhook events, and more.
Organization audit log
Organization Owners and Org Admins can access the organization-level audit log at: Settings → Organization → Audit
This view spans all workspaces within the organization. It includes cross-workspace governance actions, org membership changes, billing events, and domain lifecycle events at the org level.
What each log entry contains
Every audit log entry records the following:
| Field | Description |
|---|---|
| Timestamp | When the action occurred (UTC). |
| Action | The specific event that happened (see the action catalog below). |
| Actor | Who performed the action: a user (identified by display name and email), an API key (identified by workspace), or a system process. |
| Entity type | The type of resource affected (e.g., link, domain, member, invite). |
| Entity ID | The stable UUID of the affected resource. |
| Workspace | The workspace context for the action. |
| Organization | The org context, when relevant. |
| Metadata | Action-specific details (e.g., before/after values for changes, field names changed). |
Action catalog
Link actions
| Action | What it records |
|---|---|
link.created | A new short link was created. Records domain, slug, destination host, expiration, source (dashboard, API, import, system). |
link.destination_updated | The destination URL of a link was changed. Records before/after destination host. |
link.slug_updated | The slug was changed. Records old and new slug values. |
link.expiration_updated | The expiration date was set, changed, or removed. |
link.password_updated | Password protection was added, changed, or removed. |
link.routing_rule_created | A routing rule was added to a link. |
link.routing_rule_updated | A routing rule was modified. |
link.routing_rule_deleted | A routing rule was removed. |
link.routing_rule_reordered | The ordering of routing rules was changed. |
link.qr_style_updated | A link's custom QR styling was changed. |
link.import_batch_summary | A bulk link import completed. Records number of rows created and failed. |
Team and member actions
| Action | What it records |
|---|---|
invite.sent | A workspace invitation was created and sent. Records invited email and assigned role. |
invite.resent | An invitation was resent. |
invite.revoked | An invitation was revoked before acceptance. |
invite.accepted | An invitation was accepted and the invitee joined the workspace. |
member.role_changed | A member's role was changed. Records old and new role. |
member.removed | A member was removed from the workspace. |
Domain actions
| Action | What it records |
|---|---|
domain.created | A custom domain was added. |
domain.verification_updated | The domain's verification or readiness state changed. |
domain.landing_redirect_updated | The domain's fallback landing URL was changed. |
domain.reconnected | A domain was reconnected after a disruption. |
domain.disconnected | A domain was disconnected or removed. |
Security and authentication actions
| Action | What it records |
|---|---|
workspace.2fa_enforcement_changed | Workspace 2FA enforcement was enabled or disabled. |
user.totp_enrolled | A user completed TOTP setup. |
user.totp_disabled | A user disabled their TOTP factor. |
user.recovery_codes_regenerated | A user regenerated their recovery codes. |
user.totp_reset_by_admin | An operator reset a user's TOTP factor via the support admin flow. |
API and integration actions
| Action | What it records |
|---|---|
api_key.created | A workspace API key was generated. |
api_key.rotated | A workspace API key was rotated. |
api_key.revoked | A workspace API key was revoked. |
conversion_secret.rotated | The workspace conversion API signing secret was rotated. |
webhook.endpoint_created | A webhook endpoint was added. |
webhook.endpoint_updated | A webhook endpoint configuration was changed. |
webhook.endpoint_deleted | A webhook endpoint was removed. |
webhook.secret_rotated | A webhook endpoint's signing secret was rotated. |
webhook.test_sent | A test event was sent to a webhook endpoint. |
webhook.event_replayed | A past webhook event was manually replayed. |
Library and organization actions
| Action | What it records |
|---|---|
space.created | A space was created. |
space.renamed | A space was renamed. |
space.archived | A space was archived. |
tag.created | A tag was created. |
tag.renamed | A tag was renamed. |
utm_preset.created | A UTM preset was created. |
utm_preset.updated | A UTM preset was modified. |
utm_preset.deleted | A UTM preset was deleted. |
qr_preset.created | A QR preset was created. |
qr_preset.updated | A QR preset was modified. |
qr_preset.deleted | A QR preset was deleted. |
Searching and filtering
From the audit log view, you can filter entries by:
- Time range-narrow to a specific period.
- Action-filter to a specific action type or category.
- Actor-filter to actions by a specific user.
- Entity type-see only link events, team events, domain events, etc.
For complex investigations, use multiple filters together. For example: all link.* actions by a specific user in the last 7 days.
Exporting audit logs
The audit log can be exported as a CSV for external review or compliance archiving. The export respects the same scope and filters as the on-screen view.
API access is also available:
GET /api/audit-logs?limit=50&offset=0
Authorization: Bearer <WORKSPACE_API_KEY>
For organization-scoped audit data:
GET /api/organization/audit-logs
Authorization: Bearer <WORKSPACE_API_KEY>
Audit log retention
Audit log retention follows the platform's standard data retention schedule. Logs are preserved for as long as the workspace is active. Logs cannot be selectively deleted.
What is not recorded
Audit logs focus on intentional mutations and security-relevant events. The following are not recorded:
- Routine read operations (viewing a link's analytics, browsing the link list).
- Redirect events (individual short-link clicks are in analytics, not in audit logs).
- No-op saves (an edit that results in no actual change does not create an audit entry).
Troubleshooting
I cannot see the Audit section in Settings
Audit log access requires the Admin role in the workspace (or Org Owner/Org Admin for org-level logs). If you do not see the Audit section in Settings, ask your workspace Admin to check your current role.
An action I took is not appearing in the audit log
- Check the time range filter-the log defaults to a recent window, and your action may be outside the visible range.
- Confirm you are looking at the correct scope. Workspace-level audit shows workspace actions; organization-level audit shows org-level actions.
- Some actions (read operations, no-op saves) are intentionally not logged.
I want to see who deleted a link
Link deletions, if supported in your workspace, are captured as link lifecycle events. Filter the audit log to entity_type = link and look for the relevant action. If you do not see a deletion entry, the link may still exist in a disabled or expired state rather than having been deleted.