Security
Audit log
What gets recorded in the workspace audit log, how long entries are kept, and how to export them.
Updated 2026-05-12
The audit log is a tamper-resistant record of security-sensitive actions in your workspace. It answers the question "who did what, and when?" — useful for incident investigation, compliance reviews, and offboarding team members.
What gets logged#
Every entry records the actor (email and name), the action kind, the affected resource, and the IP address the request came from. The kinds currently logged include:
| Event | Description |
|---|---|
invitation.created | Someone was invited to the workspace |
invitation.accepted | An invitation was accepted |
invitation.revoked | An invitation was cancelled before it was accepted |
member.added | A member was added to the workspace |
member.removed | A member was removed |
api_key.created | An API key was issued |
api_key.revoked | An API key was revoked |
workspace.updated | Workspace name, slug, or settings changed |
branding.updated | Custom branding (logo, colours) was updated |
branding.cleared | Branding was reset to defaults |
Link creates, edits, and deletes are tracked in analytics click events and link history respectively, not in the audit log. The audit log focuses on administrative and access-control actions.
Where to find it#
Settings → Security → Audit log. The log loads the most recent 200 entries by default, newest first. Each row shows the actor, a plain-English description of the action, any affected resource, and a relative timestamp.
Retention#
- Paid plans — 90 days of rolling history.
- Free plan — 30 days of rolling history.
Entries older than the retention window are deleted automatically. If you need longer retention for compliance, export regularly (see below) or contact us about Enterprise plans with extended audit storage.
Exporting to CSV#
To export the audit log:
- Go to Settings → Security → Audit log.
- Click Export CSV at the top of the log panel.
- The download includes all entries within your retention window: timestamp, actor email, actor name, event kind, target type, target ID, IP address, and any metadata.
The CSV is UTF-8 encoded with RFC 4180 quoting. It's designed to import cleanly into Excel, Google Sheets, or a SIEM tool.
For automated exports, you can use the API:
curl -H "Authorization: Bearer $ELIDO_API_KEY" \
"https://api.elido.app/v1/audit?workspace_id=<id>&limit=1000"
The endpoint returns JSON; pipe it through jq or your own ETL to convert formats.
What's not in the audit log#
- Click events on short links — those live in Analytics.
- Link creation and editing — those are in link history, visible per-link in the dashboard.
- Billing events — invoices and subscription changes are in Settings → Billing → Invoice history.
- Personal profile changes (password, MFA) — those are logged at the identity provider level (Ory Kratos) and are not surfaced here.
Troubleshooting#
The log is empty. If the workspace is new, there may not be any loggable events yet. The first event is typically api_key.created or member.added. If you've had activity and the log is still empty, check that you're on the right workspace — audit logs are workspace-scoped.
I can see the log but can't export. Export requires Owner or Admin access. Member-level users can view the log in the dashboard but can't download it.
An event I expected isn't showing. Check the event list above. Link management and billing events are in different parts of the dashboard. If you believe an action should have been logged and wasn't, contact support with the approximate time and the actor's email.
I need logs older than 90 days. Entries beyond the retention window are gone permanently unless you exported before the cutoff. Set up a weekly or monthly export if your compliance requirements extend past 90 days.