Audit logs

Overview

Audit logs provide a chronological record of administrative actions performed within your workspace, supporting security monitoring, compliance reporting, and incident investigation. Coverage spans over 100 endpoints across user provisioning, authentication, API key management, and other administrative surfaces.

Logs are emitted in the OCSF v1.6.0 schema with the datetime and host profiles applied, so most entries can be ingested into a SIEM with minimal normalisation.

Access requirements

Two independent checks gate retrieval:

Requests authenticate with a workspace API key. The user or service account associated with the key must hold the audit_log_read permission.

Retrieving logs

Audit logs are returned by GET /v1/workspace/audit-logs. See the API reference for the full list of query parameters and pagination details.

1
from dotenv import load_dotenv
2
import os
3
from elevenlabs import ElevenLabs
4
5
load_dotenv()
6
7
elevenlabs = ElevenLabs(api_key=os.getenv("ELEVENLABS_API_KEY"))
8
9
page = elevenlabs.workspace.audit_logs.list(limit=50)
10
for entry in page.entries:
11
    print(entry.time_dt, entry.class_name, entry.activity_name)

Rate limits

Requests are limited to 30 per minute per user. Combined with the maximum limit of 100, this allows up to 3,000 entries per minute.

Schema

Audit logs follow the OCSF v1.6.0 specification. Event-class-specific fields supplement a common base; see the API reference for the per-field response schema.

Event classes

The following OCSF classes are emitted today:

OCSF compliance is best-effort. Where a canonical OCSF field exists, audit entries use it; the unmapped field carries any ElevenLabs-specific attributes that don’t fit the standard.

Redaction

Sensitive material that would otherwise appear in URL paths or query parameters is redacted before audit entries are written. Password reset tokens are one such case; equivalent redaction applies to any audit-relevant request whose URL structure carries secrets.