audit
1ctl audit gives you read access to Satusky’s immutable audit log. Every significant action on the platform — deploying an app, creating a secret, adding a user to an organization, changing billing settings — is recorded as an audit log entry at the time it happens.
The log is append-only. Entries cannot be modified or deleted, which makes it suitable for compliance evidence and post-incident investigation.
action happens → AuditService.Record() → audit_logs table (append-only)Every log entry carries: the timestamp, who did it (user ID + IP address), what they did (action type), what resource was affected (type + ID), what changed, and the request ID. The request ID ties an audit entry back to the API server access log for deep debugging.
Commands
Section titled “Commands”1ctl audit list
Section titled “1ctl audit list”1ctl audit list [--limit <n>] [--action <type>] [--user <id>]Lists audit log entries in reverse-chronological order. Without filters, returns the most recent 20 entries across all action types.
Flags
| Flag | Default | Description |
|---|---|---|
--limit <n> | 20 | Number of entries to return. |
--action <type> | all | Filter by action type. See the action types table below. |
--user <id> | all | Filter by the user who performed the action. |
Common action types
| Action | What it covers |
|---|---|
deploy | Deployment created or updated |
deploy.destroy | Deployment permanently deleted |
deploy.rollback | Deployment rolled back to a previous version |
secret.create | Secret group created |
secret.delete | Secret or secret group deleted |
user.add | User added to an organization |
user.remove | User removed from an organization |
user.role.update | User’s organization role changed |
token.create | API token created |
token.delete | API token deleted |
org.update | Organization settings changed |
domain.add | Custom domain attached |
domain.remove | Custom domain removed |
# Most recent 20 entries1ctl audit list
# Last 50 entries1ctl audit list --limit 50
# All deployment events1ctl audit list --action deploy
# Everything a specific user did1ctl audit list --user usr_01j9x7k3p2
# Secret operations in the last 20 entries1ctl audit list --action secret.createExample output:
ID TIMESTAMP ACTION USER RESOURCElog_123abc 2026-04-27T10:14:02Z deploy [email protected] deployment/api-serverlog_456def 2026-04-27T09:55:11Z secret.create [email protected] secret/database-credslog_789ghi 2026-04-27T08:30:44Z user.add [email protected] user/usr_new99log_012jkl 2026-04-26T18:22:01Z token.create [email protected] token/tok_abc1231ctl audit get
Section titled “1ctl audit get”1ctl audit get <log-id>Returns the full details for a single audit log entry. This is where you find the exact fields that changed and the IP address the request originated from.
1ctl audit get log_123abcExample output:
ID: log_123abcTimestamp: 2026-04-27T10:14:02ZAction: deployUser: [email protected] (usr_01j9x7k3p2)IP: 203.0.113.45Request ID: req_7f3a1b2c
Resource: Type: deployment ID: dep_01j9x7k3p2 Name: api-server
Changes: image: registry.satusky.com/.../api-server:deploy-1714900000 → registry.satusky.com/.../api-server:deploy-1715000000 replicas: 1 → 2Compliance notes
Section titled “Compliance notes”Audit logs are scoped to your organization. You see entries for actions taken within your org — not for other organizations on the platform.
For compliance workflows that need audit data in bulk (SOC 2, ISO 27001 evidence), the API endpoint backing audit list is GET /v1/cli/audit and accepts the same action, user, and limit parameters as query strings. You can script against it directly with your API token.
# Pull the last 200 entries as JSON for exportcurl -s "https://api.satusky.com/v1/cli/audit?limit=200" \ -H "x-satusky-api-key: $SATUSKY_API_KEY" | jq .