Skip to main content

Documentation Index

Fetch the complete documentation index at: https://radarhq.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

The audit log is owner-only and lives at Settings → Organization → Activity. Every mutating action against the Cloud API emits an audit event - persisted in Postgres, queryable via the UI or GET /api/orgs/{id}/audit.

What’s recorded

CategoryActionWhen
clustercluster.createdA cluster is registered
cluster.updatedName / env / labels change
cluster.deletedCluster removed from the org
cluster.token_rotatedInstall token rotated
cluster.action_deniedA privileged action was rejected by Cloud RBAC
cluster.agent.upgrade_requestedAn owner triggered an in-cluster Radar upgrade
orgorg.createdNew org
org.updatedName / domains / default role changed
org.sso.portal_openedAn owner launched the WorkOS Admin Portal
org_invitationorg_invitation.createdInvite sent
org_invitation.acceptedInvite accepted
org_invitation.revokedPending invite revoked
org_memberorg_member.joinedUser joined via accepted invite
org_member.auto_joinedUser joined via domain auto-join
org_member.sso_joinedUser joined via SSO sign-in
org_member.removedMember removed
patpat.createdToken minted
pat.revokedToken revoked
billingbilling.checkout_startedStripe Checkout session opened
billing.subscription_changedPlan, quantity, or status changed (covers upgrades, downgrades, payment failures, quantity sync)
authauth.signinUser signs in
auth.signoutUser signs out
Cluster connection / disconnection events live on the Notifications stream, not the audit log - they’re operational signal, not a security record. Role changes are recorded on the resulting org_member.* row; the previous role lives in metadata.

Event shape

{
  "id": "ae_01HF...",
  "org_id": "org_01HF...",
  "actor_user_id": "user_01HF...",
  "actor_email": "alice@acme.com",
  "action": "cluster.token_rotated",
  "target_type": "cluster",
  "target_id": "cl_01HF...",
  "target_label": "prod-us-east-1",
  "metadata": { "source": "ui", "rotated_from": "rhc_old..." },
  "ip": "203.0.113.42",
  "user_agent": "Mozilla/5.0 ...",
  "created_at": "2026-04-22T12:34:56Z"
}
The metadata object is per-action. For org_member.joined, expect the inviting actor and the role granted. For billing.subscription_changed, expect the Stripe subscription id, the previous and new plan, and the previous and new cluster quantity. PAT-authenticated actions record the PAT name in metadata.via_pat so you can distinguish browser vs. token activity.

Filtering

In the UI:
  • Action - free-text or pick from the action dropdown.
  • Target type - cluster / org / org_member / org_invitation / pat / billing / auth.
  • Actor - by member email.
  • Time range - last 24h / 7d / 30d / custom.
Cursor pagination for older events (50 per page). The pagination cursor is stable, so URL-shareable.

Export

Add ?format=csv to the audit endpoint: 
curl -H "Authorization: Bearer rhp_..." \
  "https://api.radarhq.io/api/orgs/<org_id>/audit?format=csv&since=2026-04-01" \
  > audit.csv
Or use the Export CSV button in the UI. Export honors the current filter set.

Retention

PlanRetention
Free7 days
Team30 days
Enterprise365 days
Retention is currently a read-time filter (events older than the floor are filtered out of every read). Background deletion is on the roadmap.

Programmatic access

GET /api/orgs/{org_id}/audit
GET /api/orgs/{org_id}/audit?action=cluster.deleted
GET /api/orgs/{org_id}/audit?since=2026-04-01&until=2026-04-15
GET /api/orgs/{org_id}/audit?actor=alice@acme.com
GET /api/orgs/{org_id}/audit?format=csv
PAT-based access works for owners only - the same scope as the UI.

What’s NOT in the audit log

  • K8s API calls. What happens inside a connected cluster (a deployment scaled, a pod exec’d) is not captured by the Cloud audit log. K8s itself maintains an audit.k8s.io log if you’ve configured one. The Cloud audit log is for control-plane actions, not in-cluster actions.
  • Reads. GET / list operations aren’t recorded. We log mutations.

See also