The Audit Log API allows customers to query audit logs for their workspace. These APIs cover ways to query audit logs at a given time or from an ID and how to paginate through audit logs over time.Documentation Index
Fetch the complete documentation index at: https://developers.harvey.ai/llms.txt
Use this file to discover all available pages before exploring further.
The current API request rate limits for Audit Log API endpoints are 60 requests per minute.
Overview
Use the Audit Log API to:- Track User Activity: Monitor all actions taken by users in your workspace
- Maintain Compliance: Keep detailed records for audit and compliance purposes
- Investigate Incidents: Retrieve historical logs to investigate specific events
- Export Records: Fetch and store audit logs in your own systems
Endpoints
Search Audit Logs
time(required): UTC epoch timestamp, up to 1 year old from nowlog_type(optional): Filter to return only logs of a specific type (e.g.,auth:login,admin:add_users)
Get Earliest Audit Log
log_type(optional): Filter to return only logs of a specific type (e.g.,auth:login,admin:add_users)
Get Latest Audit Log
log_type(optional): Filter to return only logs of a specific type (e.g.,auth:login,admin:add_users)
Query Audit Logs
from(required): Audit log ID to begin fetching from (UUID format)take(required): Number of audit log entries to fetch (max 1000)log_type(optional): Filter to return only logs of a specific type (e.g.,auth:login,admin:add_users)
Audit Log Types
Each audit log entry includes atype field that identifies the specific action performed. Below is a complete list of audit log types you may encounter:
API Operations
| Audit Log Type | Description |
|---|---|
api:audit_log_fetch | Fetches audit logs via API |
api:create_query | Creates a query via API |
api:client_matter_management | Manages client matters via API |
api:history_fetch | Fetches history records via API |
api:token_mgmt_rotate | Rotates API tokens |
api:vault_list_projects | Lists vault projects via API |
api:vault_get_metadata | Gets vault metadata via API |
api:vault_upload_files | Uploads files to vault via API |
api:vault_delete_file | Deletes files from vault via API |
api:vault_delete_project | Deletes vault projects via API |
Authentication
| Audit Log Type | Description |
|---|---|
auth:login | User login |
auth:logout | User logout |
auth:failed | Failed authentication attempt |
Admin Operations
| Audit Log Type | Description |
|---|---|
admin:client_view_workspace_history | Admin views workspace history in client |
admin:fetch_workspace_history | Admin fetches workspace history |
admin:client_view_workspace_history_item | Admin views specific workspace history item in client |
admin:fetch_workspace_history_item | Admin fetches specific workspace history item |
admin:delete_workspace_history_item | Admin deletes workspace history item |
admin:delete_workspace_history_items | Admin deletes multiple workspace history items |
admin:export_workspace_history | Admin exports workspace history |
admin:export_query_usage | Admin exports query usage data |
admin:client_export_workspace_users | Admin exports workspace users from client |
admin:add_users | Admin adds users |
admin:remove_users | Admin removes users |
admin:grant_perms | Admin grants permissions |
admin:revoke_perms | Admin revokes permissions |
admin:create_role | Admin creates role |
admin:update_role | Admin updates role |
admin:delete_role | Admin deletes role |
admin:update_user_role | Admin updates user role |
admin:create_export_template | Admin creates export template |
admin:edit_export_template | Admin edits export template |
admin:delete_export_template | Admin deletes export template |
admin:download_export_template | Admin downloads export template |
admin:bulk_update_role_configs | Admin bulk updates role configurations |
admin:get_role_users | Admin gets users for a role |
admin:fetch_client_matters | Admin fetches client matters |
admin:add_client_matters | Admin adds client matters |
admin:delete_client_matters | Admin deletes client matters |
admin:enable_integration | Admin enables integration |
admin:disable_integration | Admin disables integration |
admin:update_integration | Admin updates integration |
admin:update_client_matters | Admin updates client matters |
admin:manage_client_matters | Admin manages client matters |
admin:fetch_stats | Admin fetches statistics |
admin:fetch_workspace_users | Admin fetches workspace users |
admin:update_sharing_settings | Admin updates sharing settings |
admin:upsert_workspace_notice | Admin creates or updates workspace notice |
admin:upsert_workspace_guidance | Admin creates or updates workspace guidance |
admin:upsert_workspace_logo | Admin creates or updates workspace logo |
admin:delete_workspace_logo | Admin deletes workspace logo |
admin:update_workspace_brand_name | Admin updates workspace brand name |
admin:edit_user_profile | Admin edits user profile |
admin:update_playbook_permissions | Admin updates playbook permissions |
admin:publish_playbook | Admin publishes playbook |
admin:unpublish_playbook | Admin unpublishes playbook |
User Operations
| Audit Log Type | Description |
|---|---|
user:create_query | User creates query |
user:client_view_history | User views history in client |
user:fetch_history | User fetches history |
user:client_view_history_item | User views specific history item in client |
user:fetch_history_item | User fetches specific history item |
user:update_history_item | User updates history item |
user:delete_history_item | User deletes history item |
user:cancel_history_item | User cancels history item |
user:fetch_client_matters | User fetches client matters |
user:add_client_matters | User adds client matters |
user:delete_client_matters | User deletes client matters |
user:update_client_matters | User updates client matters |
user:fetch_vault_top_level_folders | User fetches vault top-level folders |
user:fetch_vault_example_project | User fetches vault example project |
user:set_vault_example_project | User sets vault example project |
user:unset_vault_example_project | User unsets vault example project |
user:fetch_vault_folder_path | User fetches vault folder path |
user:fetch_project_metadata | User fetches project metadata |
user:fetch_vault_folder | User fetches vault folder |
user:fetch_vault_file | User fetches vault file |
user:fetch_vault_file_review_rows | User fetches vault file review rows |
user:fetch_vault_files | User fetches vault files |
user:fetch_vault_folders_by_path | User fetches vault folders by path |
user:create_vault_folder | User creates vault folder |
user:create_vault_review_query | User creates vault review query |
user:upload_vault_files | User uploads vault files |
user:update_vault_file_metadata | User updates vault file metadata |
user:update_vault_folder_metadata | User updates vault folder metadata |
user:delete_vault_files | User deletes vault files |
user:delete_vault_folder | User deletes vault folder |
user:fetch_query_questions | User fetches query questions |
user:semantic_search_with_vault_folder | User performs semantic search with vault folder |
user:retry_vault_files | User retries vault files |
user:rerun_vault_review_queries | User reruns vault review queries |
user:mark_review_event_completed | User marks review event as completed |
user:clear_vault_query_errors | User clears vault query errors |
user:fetch_vault_review_query_usage | User fetches vault review query usage |
user:fetch_vault_folder_history_stats | User fetches vault folder history stats |
user:fetch_vault_projects_history_stats | User fetches vault projects history stats |
user:create_vault_folder_sharing_permissions | User creates vault folder sharing permissions |
user:update_vault_folder_sharing_permissions | User updates vault folder sharing permissions |
user:delete_vault_folder_sharing_permissions | User deletes vault folder sharing permissions |
user:create_event_sharing_permissions | User creates event sharing permissions |
user:update_event_sharing_permissions | User updates event sharing permissions |
user:create_library_item | User creates library item |
user:update_library_item | User updates library item |
user:delete_library_item | User deletes library item |
user:connect_integration | User connects integration |
user:disconnect_integration | User disconnects integration |
user:fetch_connected_integrations | User fetches connected integrations |
user:fetch_integration_token | User fetches integration token |
user:export_library | User exports library |
user:accept_workspace_notice | User accepts workspace notice |
user:enable_workspace_feature | User enables workspace feature |
user:disable_workspace_feature | User disables workspace feature |
user:view_dms_one_way_sync | User views DMS one-way sync |
user:create_dms_one_way_sync | User creates DMS one-way sync |
user:trigger_dms_one_way_sync | User triggers DMS one-way sync |
user:update_dms_one_way_sync | User updates DMS one-way sync |
user:delete_dms_one_way_sync | User deletes DMS one-way sync |
user:dms_folder_upload | User uploads folder via DMS |
user:bulk_patch_resource_access | User bulk patches resource access |
user:revoke_resource_access | User revokes resource access |
user:list_resource_access | User lists resource access |
user:dms_file_import | User imports file from DMS |
user:dms_file_export | User exports file to DMS |
user:add_user_profile | User adds user profile |
user:edit_user_profile | User edits user profile |
user:fetch_vault_history_item | User fetches vault history item |
user:review_playbook_document | User reviews playbook document |
user:create_playbook | User creates playbook |
user:create_user_group | User creates user group |
user:add_user_group_members | User adds user group members |
user:remove_user_group_members | User removes user group members |
user:get_user_group_members | User gets user group members |
user:get_user_group | User gets user group |
user:list_user_groups | User lists user groups |
user:delete_user_group | User deletes user group |
user:delete_playbook | User deletes playbook |
user:update_playbook | User updates playbook |
user:convert_playbook_document | User converts playbook document |
user:fetch_playbook_permissions | User fetches playbook permissions |
user:duplicate_playbook | User duplicates playbook |
user:export_playbook_review | User exports playbook review |
user:export_playbook | User exports playbook |
user:list_playbooks | User lists playbooks |
user:fetch_playbook_history | User fetches playbook history |
user:fetch_playbook_version | User fetches playbook version |
System Operations
| Audit Log Type | Description |
|---|---|
system:trigger_dms_one_way_sync | System triggers DMS one-way sync |
Shared Spaces
Shared Spaces and external connection audit logs capture collaboration activity: space membership, resource publishing, and external connection lifecycle. Events are scoped per workspace; each workspace sees audit events for actions its users perform or approve.Space membership and lifecycle
| Audit Log Type | Description |
|---|---|
user:spaces_add_members_to_space | User requested one or more people to be added to a shared space |
user:spaces_member_approval_changed | A member was approved (or status changed) to be added to a shared space |
admin:approve_collab_request | Admin approved a collaboration request (member or resource addition to a space) |
admin:decline_collab_request | Admin declined a collaboration request |
admin:cancel_collab_request | Admin cancelled a collaboration request |
admin:approve_space_request | Admin approved a space request |
admin:decline_space_request | Admin declined a space request |
user:spaces_remove_member_from_space | A member was removed from a shared space |
user:spaces_leave_space | A user left a shared space |
user:spaces_create_space | User created a new shared space |
user:spaces_update_space | User updated shared space settings (e.g. name, color) |
user:spaces_delete_space | User deleted a shared space |
user:spaces_get_home_page | User viewed the Shared Spaces home page |
user:spaces_get_details_page | User viewed a specific shared space’s details page |
user:list_collab_requests | User listed collaboration requests |
user:get_collab_request | User retrieved a collaboration request |
Resource sharing in spaces
| Audit Log Type | Description |
|---|---|
user:spaces_add_resources_to_space | User requested to publish resources (e.g. playbooks, vaults) to a shared space |
user:spaces_resource_approval_changed | Resource(s) were approved and added to a shared space (new access granted) |
user:spaces_resource_unshared | Resource(s) were removed from a shared space |
user:spaces_get_publishable_resources | User fetched the list of resources that can be published to a space |
user:spaces_get_members | User fetched members of a space |
user:spaces_get_invitable_members | User fetched invitable members for a space |
External connections
| Audit Log Type | Description |
|---|---|
admin:create_external_connection_invite | Admin created an external connection invite |
admin:update_external_connection_invite | Admin updated an external connection invite |
admin:approve_external_connection_request | Admin approved an external connection request |
admin:reject_external_connection_request | Admin rejected an external connection request |
admin:add_users_to_external_connection | Admin added users to an external connection |
admin:remove_user_from_external_connection | Admin removed a user from an external connection |
admin:update_user_role_in_external_connection | Admin updated a user’s role in an external connection |
admin:remove_resource_from_external_connection | Admin removed a resource from an external connection |
admin:delete_external_connection | Admin deleted an external connection |
user:get_external_connections_requests_page | User viewed the external connection requests page |
user:get_external_connections_details_page | User viewed the external connection details page |
Use Cases
Use Case 1: Compliance Monitoring and Audit Trail Capture
Challenge: Organizations must maintain detailed records of all user activity for compliance and regulatory requirements. Solution: Regularly fetch and store audit logs using the pagination workflow. Each log entry includes the user, timestamp, IP address, and action type.Use Case 2: Incident Response and User Investigations
Challenge: When investigating a security incident, teams need to reconstruct what happened during a specific time period. Solution: Use/search?time=<timestamp> to start from a specific point in time, then paginate through subsequent logs to track all activity during the incident window.
Use Case 3: Continuous Monitoring
Challenge: Security teams need to monitor recent activity in near real-time. Solution: Periodically poll/latest to get the most recent log entry, then use /audit?from=<last_seen_id>&take=100 to fetch any new logs since the last check.
Regular Cadence Fetching
For continuous monitoring and compliance requirements, you’ll want to fetch audit logs on a regular schedule. Here’s the recommended approach:Initial Backfill
If you’re setting up audit log collection for the first time:Incremental Updates
After your initial backfill, run this on a regular schedule (e.g., every 5-15 minutes):Scheduling Recommendations
- High-activity workspaces: Poll every 5-10 minutes with
take=1000 - Medium-activity workspaces: Poll every 15-30 minutes with
take=500 - Low-activity workspaces: Poll hourly with
take=100
Key Considerations
- Persistent storage: Always save the last processed log ID to disk/database so your process can resume after restarts.
- Idempotency: Audit logs are immutable, so it’s safe to reprocess the same log multiple times if needed.
- Error handling: If a fetch fails, retry from the same log ID and don’t skip ahead.
- Rate limiting: With the 60 req / min, fetching 1000 logs takes approximately 1 second per batch. Plan your cadence accordingly.
- Gap detection: Monitor timestamps to detect if you’re falling behind. If the latest fetched timestamp is more than your polling interval old, increase frequency or batch size.
Best Practices
- Respect rate limits: The API is limited to 60 requests per minute. Implement appropriate delays in your polling logic
- Store logs externally: Export audit logs to your own SIEM or audit repository for long-term retention and analysis
- Handle timestamps correctly: The
timeparameter uses UTC epoch timestamps (seconds since January 1, 1970) - Track pagination state: Always save the last processed log ID to persistent storage to resume pagination if your process is interrupted
- Monitor for new event types: The API may add new event types over time, so build your parsing logic to handle unknown types gracefully
- Implement retries with backoff: If you hit rate limits or encounter errors, implement exponential backoff before retrying
- Deduplicate on ingestion: Use the log
idfield as a unique identifier to prevent duplicate storage if you need to reprocess logs - Set up alerting: Monitor your sync process to ensure logs are being fetched regularly and alert if the process fails
- Use log_type filtering when needed: When you only need specific types of logs, use the
log_typeparameter to filter server-side and reduce bandwidth, processing overhead, and API calls
Error Handling
| Status Code | Description | Example Error Message |
|---|---|---|
| 200 | Success | N/A |
| 400 | Bad Request – Invalid query input | { "error": "Missing required filters" } |
| 401 | Unauthorized – Invalid API key | { "error": "Unauthorized" } |
| 429 | Too Many Requests – Rate limit exceeded | { "error": "Rate limit exceeded" } |
| 500 | Internal Server Error | { "error": "Unexpected server error" } |
Need help getting started? Contact your Harvey Customer Success Manager for more information.