Skip to main content
Skip table of contents


The Audit API tracks changes to elements in the UI and all user actions.

The changes are visible through an API endpoint api/audit/swagger/ or /api/audit/swagger/v1/swagger.json

Example requests :

1 - GET /api/Audit - Retrieves audit log events filtered by the "Configuration" category and on or after the given date



2 - GET /api/Audit - Retrieves audit log events filtered by the "Transfer" category and between the given date ranges



3 - GET /api/Audit - Retrieves audit log events filtered by the "Login Failed" event type and on or after the given date



4 - GET /api/Audit - Same example as the previous with pagination support



Please adjust the date range according, otherwise it will take a long time to generate the request using the examples shown above.

Details on the different Event Types


  • UserChange (101): When a user makes a change.

  • UserGroupChange (102): When a user group is modified.

  • PermissionsChange (103): When permissions are altered.

  • FlowChange (104): When a flow is changed.

  • OrganizationChange (105): When an organization undergoes change.

  • EndpointChange (106): When an endpoint is modified.

  • ThruNodeChange (107): When a ThruNode is changed.

  • FlowEndpointChange (108): When a flow endpoint is altered.

  • SSHKeyChange (109): When an SSH key is modified.

  • PGPKeyChange (110): When a PGP key is modified.

  • CertificateChange (111): When a certificate is changed.

User Action

  • LoginSuccess (201): When a user logs in successfully.

  • LoginFailed (202): When a login attempt fails.

  • Logout (203): When a user logs out.

  • SSOLoginSuccess (204): When a single sign-on login is successful.

  • SSOLoginFailed (205): When a single sign-on login attempt fails.

MFA (Multi-Factor Authentication)

  • OneTimePasscodeSent (211): When a one-time passcode is sent for authentication.


  • AlertAcknowledge (301): When an alert is acknowledged.

  • AlertClear (302): When an alert is cleared.

  • AlertSuppress (303): When an alert is suppressed.

  • AlertReactivate (304): When a deactivated alert is reactivated.


  • ReportDownload (401): When a report is downloaded.

Import/Export (Flow)

  • FlowExport (501): When a flow is exported.

  • FlowImport (502): When a flow is imported.

  • ExportConnectionInfo (503): When connection information is exported.


  • FlowEndpointScheduleRun (601): When a scheduled run for a flow endpoint occurs.

  • FlowManualRun (602): When a manual run of a flow endpoint is initiated.

  • ManualFileDownload (603): When a file is manually downloaded.

  • ManualFileUpload (604): When a file is manually uploaded.


  • ThruNodeInstall (701): When a ThruNode is installed.

  • ThruNodeUninstall (702): When a ThruNode is uninstalled.


  • SessionTimeout (801): When a user session times out.

  • AccountLockout (802): When an account is locked out due to multiple failed login attempts.

  • ForgotUsername (803): When a user forgets their username.

  • ForgotPassword (804): When a user forgets their password.

  • AccountUnban (805): When an account is unbanned.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.