audit-log
inspect a site's tamper-evident audit log from the cli. records form a hash chain (each record carries the previous record's hash) so you can detect tampering by walking the chain — audit-log get returns the chain links plus a verification report alongside the record. both verbs are site-scoped, tier A — ready.
list
list audit log records on a site, auto-paginating through the server's cursor pagination until exhausted or --limit is hit.
synopsis — owlette audit-log list --site <siteId> [--kind <csv>] [--actor <actor>] [--since <when>] [--until <when>] [--limit <n>] [--cursor <token>] [--page-size <n>]
| flag | required | purpose |
|---|---|---|
--site <siteId> | yes | site id to list audit records for |
--kind <csv> | no | comma-separated event kinds (e.g. api_key_used,signed_url_issued) |
--actor <actor> | no | exact actor string (e.g. apiKey:<keyId> or user:<uid>) |
--since <when> | no | iso 8601 timestamp or relative duration (30s, 15m, 24h, 7d) |
--until <when> | no | iso 8601 or relative duration; always client-side filter |
--limit <n> | no | stop after fetching this many records in total |
--cursor <token> | no | resume from a previously-returned nextPageToken |
--page-size <n> | no | server-side page size (default 50, max 200) |
important filter caveats:
- the server only supports single-kind exact-match on
kind. when you pass exactly one kind via--kind foo, the cli pushes the filter to the server. when you pass a CSV (--kind foo,bar), the cli falls back to client-side filtering after each page — the server still returns every kind and the cli drops the rest. --untilis always client-side — there is no serveruntilparameter. for very wide windows, prefer narrowing with--sinceto keep the server load reasonable.--sinceaccepts both iso 8601 (2026-04-25T00:00:00Z) and relative durations like24h,7d,30m,5s. relative durations are converted to iso client-side before being sent.
cursor field name: the server returns canonical next_page_token plus deprecated nextPageToken. the cli prints it on the last line of human output as next cursor: <token> so you can resume.
# all events from the last 24 hours
owlette audit-log list --site site-1 --since 24h
# api-key usage in the last week, capped at 100 records
owlette audit-log list --site site-1 --kind api_key_used --since 7d --limit 100
# calls made by one api key
owlette audit-log list --site site-1 --actor apiKey:key_123 --since 24h
# multiple kinds — falls back to client-side filtering
owlette audit-log list --site site-1 --kind api_key_used,signed_url_issued --since 24h
# resume a paginated walk from a saved token
owlette audit-log list --site site-1 --cursor eyJsYXN0SWQiOi... --json | jq '.records | length'backing endpoint: GET /api/sites/{siteId}/audit-log?kind=&actor=&since=&page_size=&page_token=
get
fetch one audit record by its recordHash and print the full payload — kind, actor, occurredAt, attributes — plus the hash chain (previousHash + hash) and the server's verification report (hashValid, linkageValid, isGenesis, predecessorPresent, reason). use this to verify a specific record or to follow the chain backwards.
synopsis — owlette audit-log get <recordHash> --site <siteId> [--json]
| flag | required | purpose |
|---|---|---|
--site <siteId> | yes | site id that owns the record |
owlette audit-log get a1b2c3d4e5f6... --site site-1
owlette audit-log get a1b2c3d4e5f6... --site site-1 --json | jq '.verification'a verification with ok: true means the record's content hashes to its claimed hash AND links correctly to its predecessor (or is the genesis record). if any field is false, the chain has been tampered with or the predecessor is missing.
backing endpoint: GET /api/sites/{siteId}/audit-log/{recordHash}
exit codes
0— success1— generic error (network, api 5xx, unexpected response shape, missing--site, unparseable--since/--until)2— usage error (no token configured)
audit-log has no stub verbs and no exit-3 paths.
notes
- scope: site-scoped read. requires an api key with
site=<id>:read(or broader). - tier: A for both verbs.
- chain integrity: the verification report is computed server-side on every
get. the cli does not re-hash records locally; for offline verification, fetch the full chain via--jsonand pipe to a tool that recomputes hashes. - cli-side vs server-side filters: prefer single-kind
--kind+--sincefor the cheapest queries — anything else streams more bytes than necessary.--limitshort-circuits as soon as the cap is met regardless of where the filter ran. - see overview for global flags and config precedence.
auth
auth groups the three verbs that manage the active profile's stored credential. it acts on the user's local config — the cli's own state — and never touches a site or machine. tier: [ready] for all three verbs.
chat
owlette chat drives cortex ai conversations from the terminal. site-scoped (every verb requires --site), with optional machine narrowing on new. tier: ready — all five verbs are wired to canonical /api/cortex/conversations/* routes. Older /api/chat/* routes are compatibility aliases only.