Audit Log
The CH-UI Cloud workspace audit log — who did what, when, across members, connections, integrations, billing, and sign-ins.
The audit log records administrative actions in a CH-UI Cloud workspace, so owners and admins can answer "who changed this, and when?" — a baseline requirement for security reviews and SOC 2.
It's available to owners and admins at Console → Audit log.
This is the console audit log (workspace administration). It is distinct from Governance, which records ClickHouse query activity and metadata changes inside a connection.
What's recorded
| Action | When it fires |
|---|---|
auth.login | A member signs in via magic link |
sso.login | A member signs in via SSO |
member.invited | A member is invited to the workspace |
member.role_changed | A member's role is changed |
member.removed | A member is removed |
org.created | A workspace is created |
org.deleted | A workspace is deleted |
connection.created | A connection (tunnel or direct) is added |
connection.deleted | A connection is removed |
github.connected | The GitHub app is connected to the workspace |
github.disconnected | The GitHub integration is removed |
billing.subscription_updated | A plan/subscription change is applied (from Stripe) |
sso.configured / sso.removed | SSO settings are changed |
Each entry captures the actor (email), the action, an optional target (e.g. the affected user or connection), structured metadata, the IP address, the user agent, and a timestamp.
Using it
The page lists events newest-first with:
- Search across actor, action, and target
- Action filter (sign-ins, member changes, connections, GitHub, billing…)
- Time range (24h / 7 days / 30 days / all time)
- Load more paging
Properties
- Tamper-resistant by design: there is no UI to edit or delete individual entries. Workspace deletion is recorded at the account level so the event survives even after the workspace is gone.
- Actor preserved: the actor's email is stored on the event, so the trail stays meaningful even if the user is later removed.
- System actions (e.g. a Stripe-driven plan change) are attributed to
system.
API
| Method | Path | Description |
|---|---|---|
GET | /console/orgs/{slug}/audit | List events. Query: action, search, timeRange, limit, offset. Admin only. |