Read the Audit Log
Every state-changing call writes an audit row. Reading the audit log answers questions like "who did this", "when did this booking get cancelled", and "what changed last Tuesday". The same shape is exposed globally, scoped to the caller, and scoped to a specific resource.
What an Audit Row Carries
| Field | Purpose |
|---|---|
type | The handler name, for example PostBooking, DeleteBooking, PutBookable. |
operation | One of create, read, update, delete. |
object_type | Schema-qualified type of the affected row. |
object_id | Id of the affected row. |
owner_id | Organization the row belongs to. |
created_by | The user_claim.id of the actor at the time of the change. |
message | Short human description, often the row's name. |
created_at | When it happened. |
Global Audit
GET /audit?from=2026-05-01T00:00:00Z&to=2026-05-15T23:59:59Z
Returns every audit row the caller can see, filtered by the time range. Use this for tenant-wide compliance exports and back-office tooling.
Optional filters: type, object_type, object_id, created_by, owner_id, message, org_id, loc_id, usr_id. Combine them to narrow the result.
GET /audit?type=DeleteBooking&from=2026-05-01T00:00:00Z&to=2026-05-15T23:59:59ZA query for every deletion in the first half of May.
My Own Audit
GET /me/audit?from=2026-05-01T00:00:00Z&to=2026-05-15T23:59:59Z
Returns the rows the calling user created. Powers a "your activity" view in client UIs.
Per Resource Audit
Every resource that has a CRUD surface exposes a sub-resource audit endpoint so you can pull the history of one specific row without filtering through a global list.
GET /bookable/{id}/audit — every change against this bookable.
GET /booking/{id}/audit — every change against this booking, including the row written when DELETE /booking/{id} runs.
Every other resource type exposes the same endpoint at the same path. The response shape is identical at every level.
Response
{
"data": [
{
"id": "77777777-8888-9999-aaaa-bbbbbbbbbbbb",
"type": "DeleteBooking",
"operation": "delete",
"object_type": "public.booking",
"object_id": "f9955a9a-bb9e-450b-8e91-09a43f0e6cd6",
"owner_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"created_by": "e992bfc1-0336-42c5-bd0a-4f4804a9fd24",
"message": "Canceled booking",
"created_at": "2026-05-12T13:33:24.279Z",
"updated_at": "2026-05-12T13:33:24.279Z"
}
],
"count": 1
}GET /audit/{id} returns a single row when you already have the id.
Notes
- The audit log is append only. Deleting the source row does not remove its history.
created_bypoints atclaimius.user_claim.id, which is the actor token at the time of the change, not atsamna_user.id. See Access Control.- Reads through these endpoints respect access control: a user only sees audit rows for resources they can reach.