Skip to content

Audit log

litecommerce keeps an append-only audit log per tenant. It captures the events that matter for trust and debugging: admin writes, auth events, API-key changes, and platform-support access.

Each record includes the actor, the tenant, the action, the target, a timestamp, and structured metadata. The log is queryable and surfaced in a merchant-visible viewer inside the admin app, so operators can answer "who changed this?" without a database query.

Because it's append-only, audit history is a reliable source of truth — it isn't edited or deleted as a side effect of other operations.

Reading the log

GET /api/v1/merchant/audit-logs

Any staff role can read it. Results come back newest-first in data, with a nextCursor for pagination:

{
  "data": [
    {
      "id": "…",
      "actorUserId": "…",
      "action": "item.updated",
      "targetType": "item",
      "targetId": "9f2c…",
      "metadata": { "fields": ["priceInCents"] },
      "createdAt": "2026-05-17T14:02:11.000Z"
    }
  ],
  "nextCursor": "…"
}

action is a namespace.verb string (e.g. item.created, settings.updated, onboarding.step_completed). metadata shape varies by action and never contains sensitive values — settings.updated, for instance, records only the category names that changed, not the values. The JSON list carries actorUserId; the actor's email is resolved only in the CSV export below (actorEmail), not on these rows.

Filters

All optional and composable: action (substring — item. matches every item event), targetType, targetId, actorUserId, since / until (ISO-8601), limit (default 50, max 200), and cursor.

CSV export

GET /api/v1/merchant/audit-logs/export

Same filters, no pagination — streams the matched entries as a CSV attachment (timestamp, actorUserId, actorEmail, action, targetType, targetId, metadata) for compliance archives or spreadsheet review.

Related