The Audit Log lets organization admins monitor key security events and user actions across their Amplitude organization. It contains details about each user action, including the user, time, and location.

## Tracked events by category

The Audit Log tracks the following events:

### High-risk events

**Project and configuration**

- Project creation, updates (permissions), and deletion.
- Project data export.

### Medium-risk events

**User management**

- User invitations.
- Role updates to or from Admin.
- Role permission changes.
- Create, update, or delete roles.
- User exports.
- Access toggles (for example, request access).
- Bulk access transfers or edits.
- User deletions.
- Group creation and member updates.

**Access controls**

- SSO configuration changes (settings updates, toggles such as "require SSO").

### Low-risk events

**Authentication**

- Login through SSO, magic link, password, or Google.
- Registration events.
- Password reset attempts.

**Content management**

- Chart, dashboard, or notebook deletion.
- Chart, dashboard, or notebook export.
- Cohort export to external destinations.

**User access**

- User profile views.
- User timeline views.

## Data captured per event

Each audit log entry includes:

- **Timestamp**: When the action occurred.
- **Domain**: Category (for example, content, config, group).
- **Feature**: Sub-category (for example, chart, user, group).
- **Action**: What was done (create, delete, update, invite, and so on).
- **Target**: The entity the action affects.
- **User (Email)**: Who performed the action.
- **Org ID**: Which organization the action belongs to.
- **App/Project ID**: Associated project (if relevant).
- **IP Address**: The IP address of the user who performed the action.
- **User Agent**: The browser or client info.
- **Event Properties**: Additional context specific to the event (JSON).
- **Error**: Error information if the action failed.

{% callout type="note" heading="Availability through the API" %}
You can only access IP address, Org ID, User Agent, and Error metadata through the API endpoint, not the UI CSV export.
{% /callout %}

## Key behaviors and notes

- Audit logs retain up to 90 days of data.
- Audit logging is asynchronous and doesn't block the user's original action.
- Amplitude captures events automatically; you don't need to add instrumentation.
- The audit log scopes to the organization.
- Admins can access events across all projects in their org.
- You can search audit logs by user email in the UI.
- Audit logs exist in all production environments, including US and EU.

## Accessing audit logs

You can access audit logs from the Organization Settings page in Amplitude or through the [Audit Logs API](/docs/apis/audit-logs).

### Access audit logs in the UI

1. Navigate to _Organization Settings_.
2. Select the **Audit Logs** tab.

Only organization admins can access the Audit Log menu item.

#### Summary cards

At the top of the Audit Logs view, summary cards show counts for the time period selected in the date picker:

- **All Events**: Total count of logged events.
- **High Risk Event**: Total count of high-risk activity.
- **Medium Events**: Total count of medium-risk events.

#### High-risk events table

A filtered table shows only high-risk security events, such as promoting a user to org admin or updating organization link settings. You can search and sort this table.

#### Controls

- **Refresh**: Reload the latest audit log data.
- **Export CSV**: Download all raw audit log data as a CSV file for offline analysis or compliance archival.

### Access audit logs through the API

For programmatic access to the full raw audit log, use the REST API endpoint to query and download raw audit logs.

#### Obtain an org secret key

Before you use the API, request an organization secret key. Contact [Amplitude Customer Support](https://gethelp.amplitude.com/hc/en-us/categories/26943798330267-Amplitude-Technical-Support) and provide your organization ID. After Support generates your key, you can use it to authenticate and download audit logs securely.

#### Make the API request

**Endpoint:**

```http
POST https://amplitude.com/api/2/audit-logs/<ORG_ID>
```

**Example request:**

```bash
curl -X POST "https://amplitude.com/api/2/audit-logs/76273" \
  -H "Authorization: Basic Base64<ORG_API_KEY:ORG_SECRET_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "start_date": "2025-11-01T00:00:00Z",
    "end_date": "2025-11-10T23:59:59Z",
    "filters": {
      "domain": "auth",
      "feature": "auth",
      "action": "login"
    },
    "pagination": {
      "limit": 100
    }
  }'
```

#### Required parameters

| Parameter    | Required | Description                                 |
| ------------ | -------- | ------------------------------------------- |
| `start_date` | Yes      | Start of the date range in ISO 8601 format. |
| `end_date`   | Yes      | End of the date range in ISO 8601 format.   |

All other fields (`filters`, `pagination`) are optional and refine your query.

#### API limitations

- Maximum 30-day query range for each request.
- 90-day data retention: You can access only the last 90 days of audit log data.