Audit Log
The audit log is a per-account record of security-relevant actions. It's designed to answer questions like "who created that API key?" and "when did our IP allowlist change?" and to satisfy SOC-2 or vendor-security questionnaires that ask whether DeployHQ provides an audit trail.
The log is queryable via the API, the UI under Account Settings, and a CSV export.
What's logged
- Authentication: session started (local password), session ended, API access blocked when an account loses API access.
- Sign-in security: failed sign-in against one of your users, password changed, two-factor authentication enabled or disabled, and sign-out, recorded against the user it happened to.
- API keys: created, revoked.
- IP allowlist: rule added, rule removed.
- Team and role-based access: team created, updated, deleted; member added or removed; project access granted or revoked.
- SSO configuration: SAML configuration created, updated, deleted; enabled or disabled; enforcement turned on or off for the account.
- Sensitive resources: project created or deleted, server created or deleted, server credentials rotated (connection password or key changed), integration created or deleted, account cancelled.
What's not logged in v1
The audit log is deliberately scoped to security-relevant lifecycle actions, not the full activity stream. The following are not in the audit log and remain in the standard product analytics:
- Page views and navigation.
- Deployment events (start, finish, retry).
- Configuration file edits.
- Build cache lifecycle.
- AI overview interactions and onboarding steps.
If your security review depends on any of these specifically, contact support. we can pull them from our operator-side logs.
Retention
The audit log retention window depends on your plan:
| Plan | Retention |
|---|---|
| Solo, Pro | 30 days |
| Business | 90 days |
| Enterprise | 360 days |
Events within your plan's window are queryable via the API, UI, and CSV export. Events older than your plan's window are removed and are no longer retrievable, so export anything you need to keep before it ages out.
Tamper evidence
Each audit event includes a SHA-256 hash that chains to the previous event in your account's log. Any modification or deletion of a row breaks the chain and is detected by an automated verification job.
The chain is verifiable end-to-end. If you need an attestation that your audit chain is intact for a specific window, contact support.
API
GET /audit_events.json
Authentication
Standard Main API basic authentication using an API key.
Query parameters
| Parameter | Description |
|---|---|
event_name |
Exact event name (e.g. api_key.created). |
user_id |
Filter by the actor user's id. |
from |
ISO8601 timestamp; events at or after this time. |
to |
ISO8601 timestamp; events at or before this time. |
page |
Page number (default 1). |
per_page |
Per-page size (default 50, max 200). |
Response
{
"events": [
{
"id": 12345,
"occurred_at": "2026-05-28T14:22:01Z",
"event_name": "api_key.created",
"actor": { "type": "user", "id": 88, "label": "Jane Doe" },
"target": { "type": "ApiKey", "id": 901, "label": "CI deploy key" },
"ip": "203.0.113.42",
"user_agent": "Mozilla/5.0 ...",
"metadata": { "description": "CI deploy key" }
}
],
"meta": { "total": 124, "page": 1, "per_page": 50 }
}
CSV export
GET /audit_events.csv
Accepts the same query parameters as the JSON endpoint. The export is capped to your plan's retention window (see the table above): requests with from further back than the window, or a from to to span wider than the window, return a 422 error.
For windows wider than your plan's retention, request a CSV from support.
UI
Account administrators can access the audit log in the UI under Account Settings. Non-admin users in your account cannot view the audit log.
Latency
Audit events are written synchronously with the action that produces them, so a new event is queryable immediately after the action completes. The CSV export and the chain hash are also computed immediately.
For identity-side events (failed login attempts, password changes, two-factor changes), there is a short delay of a few seconds while the event is dispatched from our identity service to your account's audit log.
Questions
If you need an event added to the v1 scope, an export wider than your plan's retention window, or a chain attestation for a specific time window, open a support ticket and we'll work with you.