Skip to main content
POST
/
audit
/
search
Search audit logs
curl --request POST \
  --url 'https://api.flashcat.cloud/audit/search?app_key=' \
  --header 'Content-Type: application/json' \
  --data '
{
  "start_time": 1712620800,
  "end_time": 1712707200,
  "limit": 20,
  "operations": [
    "template:write:create",
    "template:write:delete"
  ]
}
'
{
  "request_id": "01HK8XQE3Z7JM2NTFQ5YJ8P9R4",
  "data": {
    "total": 2,
    "search_after_ctx": "",
    "docs": [
      {
        "created_at": 1712700123456,
        "account_id": 10023,
        "member_id": 80011,
        "member_name": "Alice",
        "request_id": "01HK8XQE3Z7JM2NTFQ5YJ8P9R4",
        "ip": "203.0.113.42",
        "operation": "template:write:create",
        "operation_name": "创建模板",
        "body": "{\"template_name\":\"Prod default\"}",
        "params": [],
        "is_dangerous": false,
        "is_write": true
      }
    ]
  }
}

Restrictions

AspectValue
Rate limits1,000 requests/minute; 50 requests/second per account
PermissionsAudit Read (organization)

Usage

  • Time range is required. Maximum span is 90 days. Both start_time and end_time are Unix epoch seconds.
  • Use search_after_ctx from the previous response to fetch the next page. The token is opaque — do not construct it manually.
  • The retention window depends on the account’s license. Queries beyond the retention boundary silently return an empty result rather than an error.
  • Default page size is 20 rows; maximum is 99.

Authorizations

app_key
string
query
required

App key issued from the Flashduty console under Account → APP Keys. Required on every public API call. Keep it secret — it grants the same access as the owning account.

Body

application/json

Filter criteria for audit log search. Time range is required.

start_time
integer<int64>
required

Start of the search window, Unix epoch seconds.

Example:

1712620800

end_time
integer<int64>
required

End of the search window, Unix epoch seconds. Must be after start_time. Maximum span 90 days.

Example:

1712707200

limit
integer

Page size. Minimum 0, maximum 99.

Required range: 0 <= x <= 99
Example:

20

request_id
string

Filter to a single request by its unique request ID.

search_after_ctx
string

Opaque pagination cursor returned by the previous response. Leave empty for the first page.

operations
string[]

Filter to specific operation names. Use POST /audit/operation/list to get the valid set.

person_id
integer<uint64>

Filter by the member who performed the action.

is_dangerous
boolean | null

When true, return only high-risk (dangerous) operations.

is_write
boolean | null

When true, return only write operations; when false, return only read operations.

Response

Success

Success response envelope. On every 2xx response, request_id identifies the call (also mirrored in the Flashcat-Request-Id header) and data holds the endpoint-specific payload. Failure responses use a different shape — see ErrorResponse.

request_id
string
required

Unique ID for this request. Mirrored in the Flashcat-Request-Id response header. Include it when reporting issues.

Example:

"01HK8XQE3Z7JM2NTFQ5YJ8P9R4"

data
object
required

Cursor-paginated audit log search result.