Merge API Documentation

The Audit Trail records every admin action taken in your Agent Handler organization. Member invitations, role changes, API key rotations, OAuth credential edits, security rule changes, Tool Pack edits - anything that mutates configuration or access. It’s the artifact your security review will ask for, and the evidence you’ll pull when you need to know who changed what and when.

Different from the Tool Call Logs (which capture agent activity) and the API Request Logs (which capture your backend’s calls). The Audit Trail is specifically about administrative actions on the dashboard or via the management API.

What’s captured

For each event:

Event type. What was done (role.updated, api_key.regenerated, tool_pack.created, etc.).
Actor. The dashboard user (or the API key) that performed the action.
Resource. What was changed - Registered User ID, Tool Pack ID, rule ID, member ID.
Before/after diff. For updates, the specific fields that changed and their old and new values.
Source. Web dashboard, API, or system (for automated actions like SCIM-driven changes).
IP address of the actor, when available.
Timestamp.

Event catalog

The full set, grouped by area.

Members and access

Event	Fires when
`member.invited`	Admin invites a new member
`member.joined`	Invited member accepts and logs in for the first time
`member.role_changed`	A member’s role is updated
`member.removed`	A member is removed from the org
`role.created` / `role.updated` / `role.deleted`	Custom role lifecycle
`mfa.enabled` / `mfa.disabled` / `mfa.reset`	Member MFA changes
`sso.configured` / `sso.required` / `sso.disabled`	SSO configuration changes
`scim.token_regenerated`	SCIM token rotated

API keys and credentials

Event	Fires when
`api_key.created`	Test API key generated
`api_key.regenerated`	Production key rotated
`api_key.deleted`	Test key deleted
`allowed_origin.added` / `allowed_origin.removed`	Callback origin changes
`application_credential.added` / `application_credential.updated` / `application_credential.deleted`	BYO OAuth app changes

Configuration

Event	Fires when
`tool_pack.created` / `tool_pack.updated` / `tool_pack.deleted`	Tool Pack lifecycle
`tool_pack_connector.added` / `removed`	Connectors added or removed from a pack
`tool_description_override.created` / `updated` / `deleted`	Per-pack Tool Description Overrides
`tool_input_override.created` / `updated` / `deleted`	Per-pack input schema overrides
`Connector.enabled` / `Connector.disabled`	Org-level Connector enablement

Security rules

Event	Fires when
`standard_rule.updated`	Default entity rule action or threshold changed
`custom_rule.created` / `updated` / `deleted`	Custom Regex Rule lifecycle
`rule_override.created` / `updated` / `deleted`	Per-tool-pack rule overrides

Webhooks

Event	Fires when
`webhook.subscription_created` / `updated` / `deleted`	Outbound webhook lifecycle
`webhook.signing_secret_rotated`	Verification key rotated

Where to view it

Settings → Audit Trail. The default view is the last 7 days, all events. The filter bar supports event type, actor, resource type, date range, and source.

Click any row to open the event detail with the full diff. For events that touched multiple fields, every field’s old and new value is shown side by side.

Investigation flow

“Who changed this?” Filter by resource type and ID. The Audit Trail shows every event against that resource in chronological order with the actor on each row.

“What did this person do?” Filter by actor. You’ll see everything that member touched across resources - useful when offboarding, before revoking access.

Exporting

The Export button produces CSV of whatever filter is currently applied. For compliance reviews where you need to show a 12-month window, set the date filter and export.

The CSV includes:

Event ID
Timestamp (ISO 8601, UTC)
Event type
Actor email and ID
Resource type and ID
Source (dashboard, API, system)
Diff (JSON-encoded before/after for update events)

For automated forwarding to a SIEM or data warehouse, the audit-trail export endpoint is documented in the API reference.

Retention

90 days on standard plans. 1 year on Business. Custom on Enterprise. Beyond your retention window, exported CSVs are the path to long-term storage.

If your compliance requirements need longer retention than your plan provides, schedule periodic exports via the API and store them in your own systems.

What it doesn’t capture

The Audit Trail covers admin actions on the management plane - mutations, not reads. It doesn’t include tool calls (see Tool Call Logs), backend API requests (see API Request Logs), or the OAuth-flow steps that lead up to a credential.created event. For the full picture, combine the three streams.

Manage who on your team can do what with Team and roles.