Audit expectations
Every state-changing action you take as a platform admin writes to at least one audit log. Impersonation actions write to two simultaneously. Nothing platform admins do is invisible to the target org Owner. Logs are immutable — no UPDATE, no DELETE, not even by platform admins (D80).
Platform-side log (platform_audit_log)
365-day retention. Visible only to platform admins via GET /api/v1/platform/audit-log and the /platform/audit-log page.
| Action | When emitted | Includes |
|---|---|---|
platform.login | Every successful platform login | platform_user_id, IP, User-Agent |
platform.login_failed | Every failed platform login attempt | email attempted, IP, User-Agent |
platform.logout | Explicit logout or session expiry | platform_user_id, revoked impersonation count |
platform.password_changed | Platform-admin self-service password change | platform_user_id |
platform.user_created | Another platform admin provisioned a new platform account | actor, target platform user, role |
platform.user_disabled | Platform-admin account disabled | actor, target |
platform.org_created | New customer org provisioned via POST /platform/orgs | org name, slug, owner email, plan |
platform.org_disabled | Org suspended via POST /platform/orgs/{id}/disable | org id, reason |
platform.org_enabled | Org re-enabled | org id |
platform.org_deletion_initiated | 7-day grace deletion started | org id, confirmation_text hash |
platform.org_deleted | Hard delete after 7-day grace | org id |
platform.impersonation_started | Scoped token minted | target org, reason, ticket_ref, target_user_id |
platform.impersonation_action | Summarised per-request activity during impersonation | impersonation_id, request count, endpoints touched |
platform.impersonation_ended | Explicit end or expiry | impersonation_id, end reason |
platform.impersonation_blocked | Mint rejected by allow_platform_impersonation = false | target org, platform_user_id |
Org-side log (audit_log)
90-day retention. Visible to the customer’s Owner and Admins via /admin/audit-log. Platform actions appear with a Platform Support badge.
| Action written here | actor_type | Visible with these details |
|---|---|---|
platform.impersonation_started | platform_admin_impersonating | reason, ticket_ref, expiry time |
platform.impersonation_ended | platform_admin_impersonating | end reason |
Org-domain action under impersonation (e.g. user.role_changed, camera.updated, alert_rule.deleted) | platform_admin_impersonating | original action fields + impersonation_id |
org.platform_impersonation_disabled | user (the Owner) | who toggled off, when |
org.platform_impersonation_enabled | user (the Owner) | who toggled on, when |
org.created_by_platform | platform_admin | initial provisioning, platform actor id |
org.disabled_by_platform | platform_admin | reason |
Visibility matrix
| Log | Platform admins | Org Owner | Org Admin | Org Operator | Org Viewer |
|---|---|---|---|---|---|
platform_audit_log | full | no | no | no | no |
Customer audit_log (own org) | via impersonation only | full | full | no | no |
Customer audit_log (other org) | no | no | no | no | no |
What is NOT audited
Read-only platform activity is intentionally summarised, not per-request. Specifically:
GET /api/v1/platform/orgslisting — emits oneplatform.impersonation_actionsummary per listing session, not per row.GET /api/v1/platform/fleet/health— emits a summary entry, not a per-metric entry.- Cross-org search queries (see Cross-org search) — emit
platform.cross_org_searchwith the search term hash and result count, not the full result set. - Browser navigation inside
/platform/*pages — frontend route changes are not audited. Only backend API calls are.
State-changing calls are always audited, no exception. If you find a state-changing path that is not in this table, treat it as a bug and file an incident.
Retention and export
- Platform log: 365 days, rolled into cold storage after day 30. Export via
GET /api/v1/platform/audit-log?format=csv. - Org log: 90 days. Exportable by the org Owner via
/admin/audit-log?format=csv. - Hard deletion of an org deletes its org-side audit log with the rest of the org’s data. The platform-side record (
platform.org_deleted) survives.
See also
- How scoped impersonation works — lifecycle that drives most entries here.
- Incident response runbook — when to pull audit logs during an incident.