Audit logging is not yet available for self-hosted deployments.
Grant access
Members of the Owners permission group can read organization audit logs by default. To let anyone else read them, grant the organization-level Read audit logs permission in Settings > Permission groups.The Read audit logs permission grants read access to audit log entries for the organization. It does not grant access to modify the audited resources.
View the audit log
To view recent organization activity, go to Settings > Audit log. The table lists actions performed by members of your organization, with the most recent events first. Use the controls above the table to customize the view:- Time range: Select Last 24 hours, Last 7 days, or Last 30 days. The default is Last 7 days.
- Filters: Narrow results by fields such as actor, event type, or resource.
- Columns: Show or hide columns. ID, details, and before and after change columns are hidden by default.
Query the audit log
Users with the Read audit logs permission can query audit logs with SQL using theaudit_logs('<org_id>') data source. No additional configuration is required to query them.
Run a query from the SQL sandbox, the bt sql CLI, or the API.
Examples:
Recent activity across the organization
All actions taken by a specific member
Permission and access control changes in the last 30 days
What gets logged
Each audit log entry records a single event: what happened, who performed it, and what changed.Fields
Each organization audit log entry includes:| Field | Description |
|---|---|
created | Event timestamp. |
org_id | Organization where the event occurred. |
project_id | Project associated with the event, when applicable. |
actor_id | User or service account that performed the action. |
event_type | Event name in <resource>.<action> form, such as project.updated. |
event_details | Additional event-specific metadata. |
resource_type | Type of resource that changed. |
resource_id | ID of the resource that changed. |
resource_name | Human-readable resource name. |
actor_details | Request metadata, including IP address, user agent, request ID, and authentication token details. |
before_changes | Relevant resource fields before the event. Populated for update and delete events. |
after_changes | Relevant resource fields after the event. Populated for create and update events. |
before_changes is null. For delete events, after_changes is null. For update events, both fields contain the changed resource values. Readonly events contain neither.
Events
Braintrust records organization audit log events for these resource categories:| Resource category | Resource types | Event types |
|---|---|---|
| Organizations | organization | organization.created, organization.updated |
| Projects | project | project.created, project.updated, project.deleted |
| Experiments | experiment | experiment.created, experiment.updated, experiment.deleted |
| Datasets | dataset | dataset.created, dataset.updated, dataset.deleted |
| AI providers and secrets | ai_secret | ai_secret.created, ai_secret.updated, ai_secret.deleted |
| API keys | api_key | api_key.created, api_key.deleted |
| Data plane manager service tokens | service_token | data_plane_service_token.created, data_plane_service_token.replaced |
| Permission groups | group | group.created, group.updated, group.deleted |
| Permission group membership | group_member | group_member.created, group_member.deleted |
| Roles | role | role.created, role.updated, role.deleted |
| Role membership | role_member | role_member.created, role_member.deleted |
| Role permissions | role_permission | role_permission.created, role_permission.deleted |
| Organization members | org_member | org_member.created, org_member.deleted |
| Access grants | acl | acl.created, acl.deleted |
Audit logs can take a few minutes to show up after an action occurs.
Sensitive values
Braintrust excludes or redacts sensitive values in audit logs:- API key hashes and raw keys are not included. Audit entries include the API key preview name when available.
- AI provider secrets are redacted. Audit entries include a secret preview and omit encrypted secret material and key names.
- Resource IDs, organization IDs, project IDs, creation timestamps, update timestamps, and deletion timestamps are omitted from
before_changesandafter_changeswhen they would add noise to the change diff.
Audit data reads
Braintrust can record reads of your organization’s data as audit log entries. This covers both SQL queries run manually and ones run implicitly by the Braintrust UI when you browse logs, experiments, and traces. Because every data read is logged, this can produce a high volume of audit logs and is recommended only for organizations with strict data access auditing requirements. Braintrust records the following event for data reads:| Resource category | Resource types | Event types |
|---|---|---|
| SQL queries | btql | btql.read |
Next steps
- Access control to learn how organization permissions work.
- Manage permissions to grant Read audit logs to a permission group.
- SQL reference to learn about how to query audit logs with SQL.