> ## Documentation Index
> Fetch the complete documentation index at: https://hoopdev-feat-new-runbook-parameters.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# List security audit logs

> Lists security audit log entries for the organization. Only admins can access this API. Supports filtering by actor, resource type, action, HTTP method, HTTP status, client IP, path, outcome, and date range. Results are ordered by created_at descending.



## OpenAPI

````yaml https://use.hoop.dev/api/openapiv3.json get /audit/logs
openapi: 3.0.3
info:
  contact:
    email: help@hoop.dev
    name: Help
    url: https://help.hoop.dev
  description: >-
    Hoop.dev is an access gateway for databases and servers with an API for
    packet manipulation
  license:
    name: MIT
    url: https://opensource.org/license/mit
  termsOfService: https://hoop.dev/docs/legal/tos
  title: Hoop Api
  version: 1.54.3
servers:
  - url: https://use.hoop.dev/api
security: []
tags:
  - description: >
      Hoop implements Oauth2 and OIDC protocol to authenticate users in the
      system. To obtain a valid access token users need to authenticate in their
      own identity provider which is generated as a JSON response to the
      endpoint `http(s)://use.hoop.dev/api/login`. The identity provider them
      redirects the user to the callback endpoint containing the access token.


      The recommended approach of obtaining an access token is by visiting the
      Webapp main's page or using the **Hoop command line**. Example:


      ```sh

      hoop config create --api-url https://use.hoop.dev

      # save the token after authenticating at $HOME/.hoop/config.toml

      hoop login

      # show token information

      hoop config view --raw

      ```


      With an access token you could use any HTTP client to interact with the
      documented endpoints.

      The token must be sent through the `Authorization` header.


      Example:


      ```sh

      # obtain the current configuration of the server

      curl https://use.hoop.dev/api/serverinfo -H "Authorization: Bearer
      $ACCESS_TOKEN"

      ```
    name: Authentication
  - description: >
      Users are active and assigned to the default organization when they
      signup. A user could be set to an inactive state preventing it from
      accessing the platform, however it’s recommended to manage the state of
      users in the identity provider.


      - The `sub` claim is used as the main identifier of the user in the
      platform.

      - The profile of the user is derived from the id_token claims `email` and
      `name`.


      When a user authenticates for the first time, it performs an automatic
      signup that persist the profile claims along with it’s unique identifier.

      ​

      ### Groups


      Groups allows defining who may access or interact with certain resources.


      - For connection resources it’s possible to define which groups has access
      to a specific connection, this is enforced when the Access Control feature
      is enabled.

      - For review resources, it’s possible to define which groups are allowed
      to approve an execution, this is enforced when the Review feature is
      enabled.


      > This resource could be managed manually via Webapp or propagated by the
      identity provider via ID Token. In this mode, groups are sync when a user
      performs a login.


      ### Roles


      - The `admin` group is a special role that grants full access to all
      resources


      This role should be granted to users that are responsible for managing the
      Gateway. All other users are regular, meaning that they can access their
      own resources and interact with connections.
    name: User Management
  - description: Routes used to manage and obtain information about the runtime server.
    name: Server Management
  - description: Features available in the gateway. See also **Plugin** resources.
    name: Features
  - description: >-
      Proxy manager endpoints controls how clients connect via gRPC in the
      gateway. These endpoints are meant to be used when a client is initialized
      via `hoop proxy-manager`.
    name: Proxy Manager
  - name: Connections
  - name: Agents
  - name: Runbooks
  - name: Guard Rails
  - name: Reviews
  - name: Sessions
  - name: Organization Management
  - name: Reports
  - description: >
      Security audit log API. Only users in the **admin** group can access these
      endpoints.


      Audit log entries record security-relevant events (who performed an
      action, when, on which resource, and whether it succeeded). Use the list
      endpoint with filters to query by actor, resource type, action, outcome,
      or date range. Results are paginated and ordered by `created_at`
      descending.
    name: Audit Logs
paths:
  /audit/logs:
    get:
      tags:
        - Audit Logs
      summary: List security audit logs
      description: >-
        Lists security audit log entries for the organization. Only admins can
        access this API. Supports filtering by actor, resource type, action,
        HTTP method, HTTP status, client IP, path, outcome, and date range.
        Results are ordered by created_at descending.
      parameters:
        - description: 'Page number (default: 1)'
          in: query
          name: page
          schema:
            default: 1
            type: integer
        - description: 'Page size (1-100, default: 50)'
          in: query
          name: page_size
          schema:
            default: 50
            type: integer
        - description: Filter by actor subject (partial match)
          in: query
          name: actor_subject
          schema:
            type: string
        - description: Filter by actor email (partial match)
          in: query
          name: actor_email
          schema:
            type: string
        - description: Filter by resource type (e.g. connections, users, resources)
          in: query
          name: resource_type
          schema:
            type: string
        - description: Filter by action (create, update, delete, revoke)
          in: query
          name: action
          schema:
            type: string
        - description: Filter by HTTP method (GET, POST, PUT, PATCH, DELETE)
          in: query
          name: http_method
          schema:
            type: string
        - description: Filter by HTTP status code (e.g. 200, 400, 500)
          in: query
          name: http_status
          schema:
            type: integer
        - description: Filter by HTTP path (partial match)
          in: query
          name: http_path
          schema:
            type: string
        - description: Filter by client IP address (partial match)
          in: query
          name: client_ip
          schema:
            type: string
        - description: Filter by outcome (true = success, false = failure)
          in: query
          name: outcome
          schema:
            type: boolean
        - description: Filter entries created on or after this time (RFC3339 or YYYY-MM-DD)
          in: query
          name: created_after
          schema:
            type: string
        - description: >-
            Filter entries created on or before this time (RFC3339 or
            YYYY-MM-DD)
          in: query
          name: created_before
          schema:
            type: string
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/openapi.PaginatedResponse-openapi_SecurityAuditLogResponse
          description: OK
        '400':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openapi.HTTPError'
          description: Bad Request
        '403':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openapi.HTTPError'
          description: Forbidden
        '500':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/openapi.HTTPError'
          description: Internal Server Error
components:
  schemas:
    openapi.PaginatedResponse-openapi_SecurityAuditLogResponse:
      properties:
        data:
          items:
            $ref: '#/components/schemas/openapi.SecurityAuditLogResponse'
          type: array
        pages:
          $ref: '#/components/schemas/openapi.Pagination'
      type: object
    openapi.HTTPError:
      properties:
        message:
          example: the error description
          type: string
      type: object
    openapi.SecurityAuditLogResponse:
      properties:
        action:
          example: create
          type: string
        actor_email:
          example: admin@example.com
          type: string
        actor_name:
          example: Admin User
          type: string
        actor_subject:
          example: auth0|abc123
          type: string
        client_ip:
          example: 192.168.1.100
          type: string
        created_at:
          example: '2023-08-15T14:30:45Z'
          type: string
        error_message:
          example: ''
          type: string
        http_method:
          example: POST
          type: string
        http_path:
          example: /api/connections
          type: string
        http_status:
          example: 201
          type: integer
        id:
          example: 5364ec99-653b-41ba-8165-67236e894990
          format: uuid
          type: string
        org_id:
          example: 0CD7F941-2BB8-4F9F-93B0-11620D4652AB
          format: uuid
          type: string
        outcome:
          example: true
          type: boolean
        request_payload_redacted:
          additionalProperties:
            type: string
          type: object
        resource_type:
          example: connections
          type: string
      type: object
    openapi.Pagination:
      properties:
        page:
          type: integer
        size:
          type: integer
        total:
          type: integer
      type: object

````