Skip to main content
This content is for testing the v3 audit events beta endpoint. See how to get started with the production version (v2) if you don’t want to use the beta.
You can use the 1Password Events beta API to retrieve audit events from your 1Password Business account and send them to your security information and event management (SIEM) system. The beta API introduces a new audit events endpoint (/api/v3/auditevents) that uses the HTTP GET method and cursor-based pagination with query parameters. This beta endpoint returns structured audit event data beginning December 1, 2025. The data includes information about the actor, the affected entities, and contextual information about the account, where the session originated, and more for each event. Learn more about the Events API v3 beta.

Requirements

Before you get started with the beta API, you’ll need to have: If you already use the Events API with other endpoint versions, you can reuse the same Events Reporting integration and bearer token with the v3 beta endpoint. Make sure your bearer token is scoped for audit events.

Step 1: Set up an Events Reporting integration

If you haven’t set up Events Reporting yet, create a new integration in your 1Password Business account and issue a bearer token. Save the token in 1Password, then load it into your environment when making API calls. If you already have Events Reporting set up for your 1Password account, review the integration details to confirm:
  • The integration is active.
  • Your bearer token is active and scoped to access audit events.

Step 2: Find your Events API base URL

The /api/v3/auditevents beta endpoint currently uses the same Events API servers as the v2 production endpoint. Choose the base URL that matches the region where your 1Password account is hosted:
If your account is hosted on:Your base URL is:
1password.comhttps://events.1password.com
ent.1password.comhttps://events.ent.1password.com
1password.cahttps://events.1password.ca
1password.euhttps://events.1password.eu
You’ll use this base URL together with the v3 auditevents path. For example:
https://events.1password.com/api/v3/auditevents

Step 3: Send a test request with curl

You can send a test request with curl on the command line to confirm your integration is working.
The v3 beta endpoint uses a different HTTP method for requests:
  • v3 beta endpoint: GET /api/v3/auditevents
  • v2 production endpoint: POST /api/v2/auditevents

3.1: Create a curl request

In your terminal, format your request using the following structure:
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?max_page_size={events_per_page}&start_time={start_time}&end_time={end_time}" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
Replace the placeholders with your own values:
  • $BASE_URL: The Events API base URL for your 1Password account. For example: https://events.1password.com.
  • $EVENTS_API_TOKEN: The bearer token for your Events Reporting integration.
  • {events_per_page}: (Optional) The maximum number of events to return in a single response. If you don’t include the max_page_size parameter, or if you set it to 0, the server default of 100 is used. The endpoint accepts any positive value, but it returns no more than 1000 events per page.
  • {start_time}: (Optional) The earliest insertion time for which to retrieve events (exclusive), filtered on when events were ingested by 1Password. Uses RFC 3339 format. For example: 2026-01-01T00:00:00Z.
  • {end_time}: (Optional) The latest insertion time for which to retrieve events (exclusive), filtered on when events were ingested by 1Password. Uses RFC 3339 format. For example: 2026-01-12T23:59:59Z.
If you omit the start_time and end_time parameters, the endpoint will return a page of events using the service-defined default time range.
Data collection for the /api/v3/auditevents beta endpoint started December 1, 2025. To access event data prior to that date, you’ll need to make a POST request to the /api/v2/auditevents production endpoint.

3.2: Send a curl request

The following example sends a GET request to the /api/v3/auditevents endpoint, using the curl command structure from the example above. Adjust the query parameters as needed.
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?max_page_size=1&start_time=2026-01-01T00:00:00Z&end_time=2026-01-12T23:59:59Z" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
For better readability, you can also provide the query parameters on separate lines using --data-urlencode flags.
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN" \
  --data-urlencode "max_page_size=1" \
  --data-urlencode "start_time=2026-01-01T00:00:00Z" \
  --data-urlencode "end_time=2026-01-12T23:59:59Z"

3.3: Review the response

Review the response to confirm that the audit_events array contains the expected event data.
Example response
{
  "audit_events": [
    {
      "action": "vault.access.update",
      "actor": {
        "email": "wendy_appleseed@agilebits.com",
        "name": "Wendy Appleseed",
        "type": "user",
        "id": "4HCGRGYCTRQFBMGVEGTABYDU2V"
      },
      "category": "vault",
      "context": {
        "account": {
          "name": "AgileBits",
          "id": "VZSYVT2LGHTBWBQGUJAIZVRABM"
        },
        "client": {
          "name": "1Password Extension",
          "version": "81224010"
        },
        "device": {
          "model": "149.0.7827.22",
          "name": "Chrome extension",
          "id": "xa2p3x45d6vbk7noqnom89rxqm"
        },
        "location": {
          "city": "Toronto",
          "ip_address": "192.0.2.254",
          "latitude": 43.6425,
          "longitude": -79.3870,
          "region_code": "CA"
        },
        "origin": "Admin Console",
        "os": {
          "name": "MacOSX",
          "version": "26.5.0"
        },
        "session": {
          "login_time": "2026-05-29T18:29:46.871840158Z",
          "id": "X6TARAEE2NGKFLMK5POQBZ4U2Q"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36"
      },
			"correlation_id": "BENRUNBI3JCPPLFFRZTQA6XWIZ",
      "create_time": "2026-05-29T18:36:31Z",
			"diff": {
				"new_value": {
					"acl": 15730674,
					"aclDescription": [
						"manage",
						"reveal-password",
						"read-item",
						"update-item",
						"create-item",
						"archive-item",
						"delete-item",
						"view-item-history",
						"send-item"
					]
				},
				"old_value": {
					"acl": 15730672,
					"aclDescription": [
						"read-item"
					]
				},
				"type": "user-vault-access-change"
			},
      "insert_time": "2026-05-29T18:36:31.883698939Z",
      "targets": [
        {
          "payload": {
						"type": "U",
						"typeDescription": "user-created",
            "id": "lc5fqgbrcm4plajd8mwncv2b3u"
          },
					"type": "vault"
        },
				{
					"payload": {
						"email": "wendyappleseed+1@1password.com",
						"name": "Wendy Appleseed",
						"id": "OYBARQG5SNEFZHGYT4NDXCHGNI"
					},
					"type": "user"
				}
			],
      "id": "A5K6COGVRVEJXJW3XQZGS7VAMM"
		}
  ],
  "next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0"
}
If the response body is empty, try adjusting your start_time and end_time parameters. If there are more events available than can be returned in a single response, the beta endpoint returns an opaque next_page_token at the top level of the response. To request the next page of results, pass the next_page_token value in the page_token query parameter. For example:
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?page_token=eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
You can continue calling the endpoint with each next_page_token value that gets returned until the response no longer includes a token. Learn more about pagination and continuous polling in the beta API.

Step 4: Test the beta endpoint

After you’ve confirmed your Events API integration is working, you can test the beta /api/v3/auditevents endpoint with your SIEM.
The v3 beta endpoint is stable for testing, but it’s possible changes could be made during the beta that will break integrations.We don’t recommend the beta for production use, but we do encourage beta testers to use the v3 beta endpoint alongside the v2 production version and provide feedback. You can also use the Events API beta roadmap and changelog to track changes.