Skip to main content
Beta
This content is for testing the v3 audit events beta endpoint. See how to get started with the production version (v2) if you don’t want to use the beta.
You can use the 1Password Events beta API to retrieve audit events from your 1Password Business account and send them to your security information and event management (SIEM) system. The beta API introduces a new audit events endpoint (/api/v3/auditevents) that uses the HTTP GET method and cursor-based pagination with query parameters. This beta endpoint returns structured audit event data beginning December 1, 2025. The data includes information about the actor, the affected entities, and contextual information about the account, where the session originated, and more for each event. Learn more about the Events API v3 beta.

Requirements

Before you get started with the beta API, you’ll need to have: If you already use the Events API with other endpoint versions, you can reuse the same Events Reporting integration and bearer token with the v3 beta endpoint. Make sure your bearer token is scoped for audit events.

Step 1: Set up an Events Reporting integration

If you haven’t set up Events Reporting yet, create a new integration in your 1Password Business account and issue a bearer token. Save the token in 1Password, then load it into your environment when making API calls. If you already have Events Reporting set up for your 1Password account, review the integration details to confirm:
  • The integration is active.
  • Your bearer token is active and scoped to access audit events.

Step 2: Find your Events API base URL

The /api/v3/auditevents beta endpoint currently uses the same Events API servers as the v2 production endpoint. Choose the base URL that matches the region where your 1Password account is hosted:
If your account is hosted on:Your base URL is:
1password.comhttps://events.1password.com
ent.1password.comhttps://events.ent.1password.com
1password.cahttps://events.1password.ca
1password.euhttps://events.1password.eu
You’ll use this base URL together with the v3 auditevents path. For example: 
https://events.1password.com/api/v3/auditevents

Step 3: Send a test request with curl

You can send a test request with curl on the command line to confirm your integration is working.
The v3 beta endpoint uses a different HTTP method for requests:
  • v3 beta endpoint: GET /api/v3/auditevents
  • v2 production endpoint: POST /api/v2/auditevents

3.1: Create a curl request

In your terminal, format your request using the following structure: 
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?page_size={events_per_page}&start_time={start_time}&end_time={end_time}" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
Replace the placeholders with your own values:
  • $BASE_URL: The Events API base URL for your 1Password account. For example: https://1password.com.
  • $EVENTS_API_TOKEN: The bearer token for your Events Reporting integration.
  • {events_per_page}: (Optional) The maximum number of events to return in a single response. Use a value from 1 to 1000. If you don’t include the page_size parameter, a default of 100 will be used.
  • {start_time}: (Optional) The date and time for when you want to start retrieving events, in RFC 3339 format . For example: 2026-01-01T00:00:00Z.
  • {end_time}: (Optional) The date and time for when you want to stop retrieving events, in RFC 3339 format . For example: 2026-01-12T23:59:59Z.
If you omit the start_time and end_time parameters, the endpoint will return a page of events using the service-defined default time range.
Data collection for the /api/v3/auditevents beta endpoint started December 1, 2025. To access event data prior to that date, you’ll need to make a POST request to the /api/v2/auditevents production endpoint.

3.2: Send a curl request

The following example sends a GET request to the /api/v3/auditevents endpoint, using the curl command structure from the example above. Adjust the query parameters as needed. 
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?page_size=1&start_time=2026-01-01T00:00:00Z&end_time=2026-01-12T23:59:59Z" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
#code-result
{
  "data": {
    "audit_events": [
      {
        "action": "vault.vault-item.update",
        "actor": {
          "email": "wendy_appleseed@agilebits.com",
          "name": "Wendy Appleseed",
          "type": "user",
          "uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V"
        },
        "category": "vault",
        "context": {
          "account": {
            "name": "AgileBits",
            "uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM"
          },
          "client": {
            "name": "1Password Extension",
            "version": "81118003"
          },
          "device": {
            "model": "142.0.7444.23",
            "uuid": "katnz37usfc5i67fqekylwmcde"
          },
          "location": {
            "city": "Toronto",
            "country": "Canada",
            "ip_address": "192.0.2.254",
            "latitude": 43.5991,
            "longitude": -79.4988,
            "region": "Ontario"
          },
          "origin": "Admin Console",
          "os": {
            "name": "MacOSX",
            "version": "10.15"
						"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Safari/605.1.15"
          },
          "session": {
            "login_time": "2025-11-13T18:52:10.706588504Z",
            "uuid": "X6TARAEE2NGKFLMK5POQBZ4U2Q"
          }
        },
        "targets": [
          {
            "payload": {
              "type": "P",
              "uuid": "lc5fqgbrcm4plajd8mwncv2b3u"
            },
            "type": "vault"
          }
        ],
        "timestamp": "2026-01-01T19:01:20.110679321Z",
        "uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM"
      }
		]
	},
	"meta": {
    "has_more": true,
    "next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0"
	}
}
For better readabilty, you can also provide the query parameters on separate lines using --data-urlencode flags. 
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN" \
  --data-urlencode "page_size=1" \
  --data-urlencode "start_time=2026-01-01T00:00:00Z" \
  --data-urlencode "end_time=2026-01-12T23:59:59Z"

3.3: Review the response

Review the response to confirm that the audit_events array contains the expected event data. If the response body is empty, try adjusting your start_time and end_time parameters. If there are more events available than can be returned in a single response, the beta endpoint returns a meta object that includes:
  • next_page_token: An opaque token you can pass in the next request to retrieve the next page of results.
  • has_more: A boolean value that indicates whether more pages are available (true or false).
For example, the response to the curl request above includes the following meta object: 
  "meta": {
    "next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0",
    "has_more": true
  }
To request the next page of results, use the next_page_token value as a query parameter. For example: 
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?next_page_token=eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
You can continue calling the endpoint with each next_page_token value that gets returned until has_more is false. Make sure not to include the start_time or end_time parameters in requests that use a next_page_token. Doing so will result in a 400 bad request error. To view HTTP status codes and rate limit in the responses, you can use the --include flag in your request. For example: 
curl --include --request GET...

Step 4: Test the beta endpoint

After you’ve confirmed your Events API integration is working, you can test the beta /api/v3/auditevents endpoint with your SIEM.
The v3 beta endpoint is stable for testing, but it’s possible changes could be made during the beta that will break integrations.We don’t recommend the beta for production use, but we do encourage beta testers to use v3 beta endpoint alongside the v2 production version and provide feedback. You can also use the Events API beta roadmap and changelog to track changes.