Audit Logs

View as Markdown

Daytona audit logs provide a detailed record of user and system activity across your organization. Use this feature to track sandbox lifecycle events, user access, system changes, and more.

Security audits: monitor for unauthorized access or sandbox misuse
Debugging: understand sandbox lifecycle issues (e.g. failed starts)
Compliance Export: export logs for internal or external audits (coming soon)

Audit logs are available to administrators with full access and members with audit log permissions. Contact your organization administrator to get access to audit logs.

Access from Dashboard

Access the audit logs page directly from Daytona Dashboard ↗. The audit logs page displays a list of all audit logs for your organization, including the following columns:

Time: the timestamp of the action
User: the user who performed the action
Actions: the action performed
Targets: the resource affected by the action
Outcomes: the result of the action

To filter audit logs by time, use the date range picker in the top-left corner of the page.

Real-time updates

Daytona provides real-time updates of audit logs. Enable the Auto Refresh toggle in the top-right corner of the Daytona Audit Logs ↗ page to automatically refresh logs as new events occur.

Programmatic management

Daytona provides API endpoints for programmatic access to audit logs.

Get all audit logs

To get all audit logs, use the following API endpoint:

curl https://app.daytona.io/api/audit \
  --header 'Authorization: Bearer YOUR_API_KEY'

Get audit logs for organization

To get audit logs for a specific organization, use the following API endpoint:

curl https://app.daytona.io/api/audit/organizations/{organizationId} \
  --header 'Authorization: Bearer YOUR_API_KEY'

Log Structure

Each audit log entry contains the following fields:

Field	Type	Description
`id`	string	Unique log entry identifier
`actorId`	string	ID of the user who performed the action
`actorEmail`	string	Email of the user who performed the action
`organizationId`	string	Organization ID
`action`	string	Operation executed (e.g., `create`, `start`, `stop`)
`targetType`	string	Resource type affected (e.g., `sandbox`, `snapshot`)
`targetId`	string	ID of the affected resource
`statusCode`	number	HTTP status code of the result
`errorMessage`	string	Error message if the action failed
`ipAddress`	string	IP address of the request origin
`userAgent`	string	User agent of the request origin
`source`	string	Source of the action
`metadata`	object	Additional context about the action
`createdAt`	string	ISO 8601 timestamp of when the action occurred

Actions

Below is the complete list of actions logged by Daytona:

create, read, update, delete, login,
set_default, update_access, update_quota, update_region_quota,
suspend, unsuspend, accept, decline,
link_account, unlink_account, leave_organization,
regenerate_key_pair, update_scheduling,
start, stop, replace_labels, create_backup,
update_public_status, set_auto_stop_interval,
set_auto_archive_interval, set_auto_delete_interval, archive,
snapshot, fork,
get_port_preview_url, set_general_status, activate, deactivate,
update_network_settings,
send_webhook_message, initialize_webhooks,
update_sandbox_default_limited_network_egress,
create_ssh_access, revoke_ssh_access,
regenerate_proxy_api_key,regenerate_ssh_gateway_api_key,regenerate_snapshot_manager_credentials

Targets

Each action targets a specific resource type. Possible targets include:

api_key, organization, organization_invitation,
organization_role, organization_user, docker_registry,
runner, sandbox, snapshot, user, volume

Outcomes

The outcome field indicates the result of the action. Statuses follow standard HTTP semantics:

Outcome	Description
Info	Informational (1xx codes)
Success	Action succeeded (2xx codes)
Redirect	Redirects (3xx codes)
Error	Client/server error (4xx/5xx)