Audit Log Endpoints

Immutable audit trail of all actions performed through Bulwark.

List Audit Events

GET /api/v1/audit

Headers

Authorization: Bearer <apiKey>
X-Bulwark-Tenant: <tenant-id>

Query Parameters

| Parameter | Description | |-----------|-------------| | limit | Results per page (default: 50, max: 200) | | cursor | Pagination cursor | | from | ISO 8601 start timestamp | | to | ISO 8601 end timestamp | | actorType | user, agent, api-key | | actorId | Filter by specific actor | | action | Filter by action type | | resourceType | session, agent, credential, vault-token |

Response `200`

{
  "data": [
    {
      "eventId": "audit_01j...",
      "action": "session.created",
      "actor": {
        "type": "agent",
        "id": "agent_01j...",
        "name": "my-assistant"
      },
      "resource": {
        "type": "session",
        "id": "sess_01j..."
      },
      "metadata": {
        "grantedScopes": ["read:customers"],
        "ipAddress": "10.0.0.1"
      },
      "timestamp": "2026-03-18T13:00:00Z"
    }
  ],
  "pagination": { "cursor": "...", "hasMore": true }
}

Get Audit Event

GET /api/v1/audit/{eventId}

Response `200`

{
  "data": {
    "eventId": "audit_01j...",
    "action": "credential.accessed",
    "actor": {
      "type": "agent",
      "id": "agent_01j...",
      "name": "my-assistant"
    },
    "resource": {
      "type": "credential",
      "id": "cred_01j...",
      "provider": "github"
    },
    "metadata": {
      "sessionId": "sess_01j...",
      "proxyTarget": "https://api.github.com/repos/owner/repo",
      "responseStatus": 200,
      "ipAddress": "10.0.0.1",
      "userAgent": "bulwark-proxy/0.1.0"
    },
    "timestamp": "2026-03-18T13:02:00Z"
  }
}

Action Types

| Action | Description | |--------|-------------| | auth.login | User login | | auth.logout | User logout | | agent.created | Agent registered | | agent.revoked | Agent revoked | | session.created | Agent session started | | session.completed | Agent session ended | | credential.accessed | Credential used via proxy | | vault-token.stored | Token stored in vault | | vault-token.revoked | Token revoked from vault | | ciba.requested | Human approval requested | | ciba.approved | Human approved action | | ciba.denied | Human denied action | | fga.check | Access check performed | | secret.accessed | Secret retrieved from vault |

Audit Log Endpoints

List Audit Events

Headers

Query Parameters

Response 200

Get Audit Event

Response 200

Action Types

Response `200`

Response `200`