Audit log

/admin/audit is the cross-tenant view of the audit table. Tenant-scoped audit (/api/v1/audit) is gated by org membership; this page is gated by platformAdmin.

Filters

• Actor user id — exact match, useful for "what did this admin touch in the last hour".
• Organization id — exact match.
• Action prefix — startsWith match. The dropdown offers common conventions:
  • platform.* — every cross-tenant admin action.
  • platform.user.* — IAM admin actions.
  • platform.org.* — tenancy + billing admin actions.
  • platform.feature_flag.* — flag changes.
  • iam.* — domain events from the IAM module (signups, password changes, sessions).
  • tenancy.* — domain events from the tenancy module (org created, member added).
• Date range — from / to as ISO datetimes; the SQL gets occurredAt BETWEEN.

Route

GET /api/v1/platform/audit-events?
  organizationId=…
  actorUserId=…
  actionPrefix=…
  from=…  to=…
  page=1  pageSize=50

pageSize is capped at 200 server-side. Sorted by occurredAt DESC.

Naming conventions

<context>.<resource>.<action> for domain events, platform.<resource>.<action> for super-admin mutations. Past tense, snake_case for multi-word actions. Examples:

Impersonation-awareness

Every audit row stores the actor's real userId, regardless of whether the request was impersonated. actorUserId is the truth; if a row was created during impersonation, the impersonated user id appears in payload.impersonatedAs (when relevant) but never as the row's actorUserId.