only available on the Enterprise plan.
Self-hosted deployments require data plane v2.6.0 or later for audit logging. On earlier versions, administrative events are recorded but aren’t queryable.
Grant access
Members of the Owners permission group can read organization audit logs by default. To let anyone else read them, grant the organization-level Read audit logs permission in Settings > Permission groups.The Read audit logs permission grants read access to audit log entries for the organization. It does not grant access to modify the audited resources.
View the audit log
To view recent organization activity, go to Settings > Audit log. The table lists actions performed by members of your organization, with the most recent events first. Use the controls above the table to customize the view:- Time range: Select Last 24 hours, Last 7 days, or Last 30 days. The default is Last 7 days.
- Filters: Narrow results by fields such as actor, event type, or resource.
- Columns: Show or hide columns. ID, details, and before and after change columns are hidden by default.
Query the audit log
Users with the Read audit logs permission can query audit logs with SQL using theaudit_logs() data source, identified by your organization’s name or ID (for example, audit_logs('my-org')). See Querying by name for details. No additional configuration is required to query them.
Run a query from the SQL sandbox, the bt sql CLI, or the API.
Examples:
Recent activity across the organization
All actions taken by a specific member
Permission and access control changes in the last 30 days
What gets logged
Each audit log entry records a single event: what happened, who performed it, and what changed.Fields
Each organization audit log entry includes:
For create events,
before_changes is null. For delete events, after_changes is null. For update events, both fields contain the changed resource values. Readonly events contain neither.
Events
Braintrust records organization audit log events for these resource categories:
Some operations emit multiple audit log entries. For example, inviting a user can create an organization member entry, permission group membership entries, access grants, and an API key entry. Bulk operations create one audit log entry per changed resource.
Audit logs can take a few minutes to show up after an action occurs.
Sensitive values
Braintrust excludes or redacts sensitive values in audit logs:- API key hashes and raw keys are not included. Audit entries include the API key preview name when available.
- AI provider secrets are redacted. Audit entries include a secret preview and omit encrypted secret material and key names.
- Resource IDs, organization IDs, project IDs, creation timestamps, update timestamps, and deletion timestamps are omitted from
before_changesandafter_changeswhen they would add noise to the change diff.
Audit data reads and modifications
Braintrust can record row-level audit logs for certain kinds of resources. These can be high volume and are disabled by default.query.read events are particularly high volume. When enabled, query.read covers both SQL queries run manually and ones run implicitly by the Braintrust UI when you browse logs, experiments, and traces.
Braintrust records the following events for data rows:
To enable row-level audit logging for your organization, contact Braintrust support.
Next steps
- Access control to learn how organization permissions work.
- Manage permissions to grant Read audit logs to a permission group.
- SQL reference to learn about how to query audit logs with SQL.