GET /api/v3/auditevents
- Who performed the action (the actor).
- What was affected (one or more target entities).
- Where and how the action occurred (context about the account, location, client, device, and session).
Request methods
The beta API currently supports a single HTTP method (GET) to retrieve audit events and uses query parameters for pagination and time filters. The/api/v3/auditevents beta endpoint uses GET with query parameters for pagination and time filters.
The v1 and v2 API endpoints continue to use POST requests with a cursor object in the request body.
Servers and URLs
The v3 beta endpoint is currently hosted on the same Events API servers as the production API. Your base URL depends on the region where your 1Password account is hosted:| If your account is hosted on: | Your base URL is: |
|---|---|
1password.com | https://events.1password.com |
ent.1password.com | https://events.ent.1password.com |
1password.ca | https://events.1password.ca |
1password.eu | https://events.1password.eu |
It’s possible these servers could change during the beta or when the v3 endpoint moves to production. You can use the Events API beta roadmap and changelog to track changes.
Endpoints
The v3 beta API uses the following endpoint:GET /api/v3/auditevents: Retrieve audit events for actions performed by team members within a 1Password account.
Authorization
All calls to the v3 beta endpoint must be authorized with a valid JWT-encoded bearer token in theAuthorization header. The token must be scoped to include audit events.
Request headers
Requests to the beta endpoint require theAuthorization header:
401 Unauthorized response.
Pagination
The beta API uses cursor-based pagination passed in the query string.Query parameters
The v3auditevents endpoint accepts the following optional query parameters:
-
max_page_size: The maximum number of events to return in a single response. If you don’t includemax_page_size, or if you set it to0, the server default of100is used. The endpoint accepts any positive value, but it returns no more than1000events per page. -
start_time: The earliest insertion time for which to retrieve events (exclusive), filtered on when events were ingested by 1Password. Only events whose insertion time is strictly greater than this value are returned. Invalid ifpage_tokenis specified. -
end_time: The latest insertion time for which to retrieve events (exclusive), filtered on when events were ingested by 1Password. Only events whose insertion time is strictly less than this value are returned. Invalid ifpage_tokenis specified. -
page_token: An opaque string that identifies the next page of results to retrieve.
Data collection for the
/api/v3/auditevents beta endpoint started December 1, 2025. To access event data prior to that date, you’ll need to use the /api/v2/auditevents production endpoint.Response metadata
Every200 successful response includes the audit_events array at the top level. If there are more pages of events to retrieve, the response will also include a next_page_token you can pass to the next request.
When the response includes a next_page_token, use that token in the page_token query parameter of your next request. You can continue making requests until there are no more events.
If a response doesn’t include a token, that indicates there are no more pages of results to retrieve.
Pagination workflow
The following example shows a typical pagination workflow:-
Initial request: Make a GET call to
/api/v3/auditeventswith any combination ofmax_page_size,start_time, andend_timeparameters you need. Note that data collection for this endpoint started December 1, 2025. -
Check the response: Process the
audit_eventsarray. Check for anext_page_tokenat the top level of the response to see if there are more pages. If there’s a token, continue to step 3. If there’s an emptyaudit_eventsarray with nonext_page_token, that means there are no new events yet. Wait and poll again. -
Subsequent requests: If there are more pages of events, call the endpoint again using the value of the
next_page_tokenin thepage_tokenquery parameter of your next request. For example:Repeat this process until the response no longer includes anext_page_token, which means you’ve received all events for the requested time window.
Continuous polling
You can use continuous polling with your integration to call the endpoint on a regular schedule. This allows the integration to retrieve new events as they become available and keep your copy of audit events continuously up to date. To continue the polling loop after the initial pagination is complete:-
Record the
insert_timeof the last event in the response. - Wait until the next scheduled check for new events (the polling interval you set up in your integration).
-
Make a new request using the recorded
insert_timeas thestart_timeparameter. For example: -
Process the events in the response. If the response includes a
next_page_token, continue the pagination workflow using thepage_tokenquery parameter. Otherwise, record theinsert_timeof the last event in the response and repeat this loop with that value as your newstart_time.
Timestamps
Every audit event includes two date and time fields, both in RFC 3339 format:create_time: When the event occurred.insert_time: When the event was received and stored by 1Password.
start_time and end_time query parameters filter on insert_time, not create_time. This means a single response can include events whose create_time falls outside the query window, as long as the events were ingested within it. This is most likely to happen for events that take time to reach 1Password, such as those from offline clients that sync later.
Because the endpoint filters on insert_time, events that arrive later will surface in the next poll that uses a start_time strictly before their insert_time. Your continuous polling loop will receive these events without any special handling.
Rate limits
Requests to the beta endpoint are rate limited to:- 600 requests per minute
- 30,000 requests per hour
GET /api/v3/auditevents may include the following headers:
RateLimit-Limit: The total number of requests allowed for the current time window.RateLimit-Remaining: How many requests you can still make in the current window.RateLimit-Reset: The Unix timestamp (in seconds) that indicates when the current rate limit window will reset.
429 Too Many Requests response. The 429 response includes the following header:
Retry-After: Indicates how many seconds to wait before making another request.
429 Too Many Requests, you should:
- Stop sending additional requests to the endpoint.
- Wait for the number of seconds specified in the
Retry-Afterheader. - Resume requests, ideally with backoff and retry logic in your client.