The Audit page is paginated and filterable. Knowing how to drive it is the difference between "I can't find what happened" and "here's the chronology for tenant X over the last hour." This guide covers the interactive surface; the full event-type vocabulary lives in Audit event reference.
The default view
Section titled “The default view”When you land on the page, you see the most recent 50 events, sorted newest-first. Five columns:
- When — UTC timestamp, formatted in your local timezone.
- Type — the event-type slug (e.g.
tenant.provisioning.completed). - Actor — the member who took the action, or
systemfor platform-emitted events. - Tenant — the tenant id this event concerns, or blank for org-level events.
- Details — a short human-readable phrase.
Pagination is at the bottom: Prev / Next + the current page indicator. Each page is 50 events; the feed itself goes back as far as your audit retention policy allows.
Filter by event type
Section titled “Filter by event type”The filter box at the top accepts a substring match against the type. Examples:
tenant.provisioning— every provisioning-related event (started, step_completed, completed, failed, compensated).tenant.deprovisioning— every decommission-related event.org.member— invitations, role changes, removals.tenant.suspended— only the suspension events.
Click Apply to filter; the table re-renders. Pagination resets to the first page.
To clear the filter, empty the box and click Apply again.
Filter by tenant
Section titled “Filter by tenant”When you arrive at the audit page from a tenant's detail page (via the "View audit" link), the filter is pre-populated with that tenant's id. The URL carries the filter as a query parameter, so you can bookmark or share that filtered view.
Common queries
Section titled “Common queries”A few useful filter patterns:
- "What happened to tenant X today?" — Apply the tenant filter; scroll back to today's earliest entries.
- "Did anyone change a member's role recently?" — Filter type with
org.member_role_changed. - "Show me all provisioning failures this week." — Filter type with
tenant.provisioning.failed; pagination back through this week. - "Who suspended things and when?" — Filter type with
tenant.suspended; sort by When (default).
Reading an event
Section titled “Reading an event”Click any row to expand the Details column inline. The expanded view shows the raw event payload — a JSON-shaped object with the fields documented in Audit event reference per event type.
Typical payload fields:
reason— when a state change was driven by a specific intent (suspend reason, decommission reason).from/to— for transitions (role changes, plan changes).duration_seconds— for provisioning completion events.failed_activity— for provisioning/deprovisioning failures.
Exporting
Section titled “Exporting”When your plan includes audit export, an Export button appears on the toolbar. It exports the currently-filtered view (not the whole feed) to CSV or JSON. Useful for compliance review or piping into your own SIEM.
If Export isn't visible, your plan tier doesn't include it. See Plans overview.
What you can't do from this page
Section titled “What you can't do from this page”- You can't edit events. The audit log is append-only by design. The platform never modifies historical entries.
- You can't delete events. Even Owner can't. Audit retention is governed by policy; entries age out automatically per the retention window.
- You can't see tenant-internal events here. What individual users did inside a tenant (login, MFA, password reset) lives in that tenant's own audit log, not this org-level feed.