> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Get started with the 1Password Events API (beta)

export const BetaBadge = ({content}) => {
  if (content) {
    return <span className="op-beta-badge-inline not-prose">
        <span className="op-status-badge">Beta</span>
      </span>;
  }
  return <>
      <style>
        {`
        .mdx-content {
          margin-top: 4px !important;
        }
      `}
      </style>
      <span className="op-status-badge not-prose">Beta</span>
    </>;
};

<BetaBadge />

<Note>
  This content is for testing the v3 audit events beta endpoint. See how to [get started with the production version (v2)](/events-api/get-started/) if you don't want to use the beta.
</Note>

You can use the 1Password Events beta API to retrieve audit events from your 1Password Business account and send them to your security information and event management (SIEM) system.

The beta API introduces a [new audit events endpoint](/events-api/beta/reference/get-v3-auditevents) (`/api/v3/auditevents`) that uses the HTTP GET method and cursor-based pagination with query parameters. This beta endpoint returns structured audit event data beginning December 1, 2025. The data includes information about the actor, the affected entities, and contextual information about the account, where the session originated, and more for each event.

[Learn more about the Events API v3 beta.](/events-api/beta/about-v3-beta)

## Requirements

Before you get started with the beta API, you’ll need to have:

* [A 1Password Business account.](https://1password.com/pricing/password-manager)
* An [owner](https://support.1password.com/groups/#owners) or [administrator](https://support.1password.com/groups/#administrators) role in your 1Password account.
* A [JWT bearer token (Events API token)](/events-api/authorization#manage-bearer-tokens) that’s authorized to access audit events for your account.

If you already use the Events API with other endpoint versions, you can reuse the same Events Reporting integration and bearer token with the v3 beta endpoint. Make sure your bearer token is scoped for audit events.

## Step 1: Set up an Events Reporting integration

If you haven’t set up Events Reporting yet, [create a new integration](/events-api/get-started#step-1-set-up-an-events-reporting-integration) in your 1Password Business account and issue a bearer token. Save the token in 1Password, then load it into your environment when making API calls.

If you already have Events Reporting set up for your 1Password account, review the integration details to confirm:

* The integration is active.
* Your bearer token is active and scoped to access audit events.

## Step 2: Find your Events API base URL

The `/api/v3/auditevents` beta endpoint currently uses the same Events API servers as the v2 production endpoint.

Choose the base URL that matches the [region](https://support.1password.com/regions/) where your 1Password account is hosted:

| If your account is hosted on: | Your base URL is:                  |
| ----------------------------- | ---------------------------------- |
| `1password.com`               | `https://events.1password.com`     |
| `ent.1password.com`           | `https://events.ent.1password.com` |
| `1password.ca`                | `https://events.1password.ca`      |
| `1password.eu`                | `https://events.1password.eu`      |

You’ll use this base URL together with the v3 `auditevents` path. For example:

```text theme={null}
https://events.1password.com/api/v3/auditevents
```

## Step 3: Send a test request with curl

You can send a test request with [curl <Icon icon="arrow-up-right-from-square" />](https://curl.se/) on the command line to confirm your integration is working.

<Note>
  The v3 beta endpoint uses a different HTTP method for requests:

  * v3 beta endpoint: `GET /api/v3/auditevents`
  * v2 production endpoint: `POST /api/v2/auditevents`
</Note>

### 3.1: Create a curl request

In your terminal, format your request using the following structure:

```shell theme={null}
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?max_page_size={events_per_page}&start_time={start_time}&end_time={end_time}" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
```

Replace the placeholders with your own values:

* `$BASE_URL`: The Events API base URL for your 1Password account. For example: `https://events.1password.com`.
* `$EVENTS_API_TOKEN`: The bearer token for your Events Reporting integration.
* `{events_per_page}`: (Optional) The maximum number of events to return in a single response. If you don’t include the `max_page_size` parameter, or if you set it to `0`, the server default of `100` is used. The endpoint accepts any positive value, but it returns no more than `1000` events per page.
* `{start_time}`: (Optional) The earliest insertion time for which to retrieve events (exclusive), filtered on when events were ingested by 1Password. Uses [RFC 3339 format. <Icon icon="arrow-up-right-from-square" />](https://datatracker.ietf.org/doc/html/rfc3339) For example: `2026-01-01T00:00:00Z`.
* `{end_time}`: (Optional) The latest insertion time for which to retrieve events (exclusive), filtered on when events were ingested by 1Password. Uses [RFC 3339 format. <Icon icon="arrow-up-right-from-square" />](https://datatracker.ietf.org/doc/html/rfc3339) For example: `2026-01-12T23:59:59Z`.

If you omit the `start_time` and `end_time` parameters, the endpoint will return a page of events using the service-defined default time range.

<Note>
  Data collection for the `/api/v3/auditevents` beta endpoint started December 1, 2025. To access event data prior to that date, you'll need to make a [`POST` request to the `/api/v2/auditevents` production endpoint](/events-api/reference/audit-events).
</Note>

### 3.2: Send a curl request

The following example sends a GET request to the [`/api/v3/auditevents` endpoint](/events-api/beta/reference/get-v3-auditevents), using the curl command structure from the example above. Adjust the query parameters as needed.

```shell theme={null}
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?max_page_size=1&start_time=2026-01-01T00:00:00Z&end_time=2026-01-12T23:59:59Z" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
```

For better readability, you can also provide the query parameters on separate lines using `--data-urlencode` flags.

```shell theme={null}
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN" \
  --data-urlencode "max_page_size=1" \
  --data-urlencode "start_time=2026-01-01T00:00:00Z" \
  --data-urlencode "end_time=2026-01-12T23:59:59Z"
```

### 3.3: Review the response

Review the response to confirm that the `audit_events` array contains the expected event data.

```json Example response expandable theme={null}
{
  "audit_events": [
    {
      "action": "vault.access.update",
      "actor": {
        "email": "wendy_appleseed@agilebits.com",
        "name": "Wendy Appleseed",
        "type": "user",
        "id": "4HCGRGYCTRQFBMGVEGTABYDU2V"
      },
      "category": "vault",
      "context": {
        "account": {
          "name": "AgileBits",
          "id": "VZSYVT2LGHTBWBQGUJAIZVRABM"
        },
        "client": {
          "name": "1Password Extension",
          "version": "81224010"
        },
        "device": {
          "model": "149.0.7827.22",
          "name": "Chrome extension",
          "id": "xa2p3x45d6vbk7noqnom89rxqm"
        },
        "location": {
          "city": "Toronto",
          "ip_address": "192.0.2.254",
          "latitude": 43.6425,
          "longitude": -79.3870,
          "region_code": "CA"
        },
        "origin": "Admin Console",
        "os": {
          "name": "MacOSX",
          "version": "26.5.0"
        },
        "session": {
          "login_time": "2026-05-29T18:29:46.871840158Z",
          "id": "X6TARAEE2NGKFLMK5POQBZ4U2Q"
        },
        "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36"
      },
			"correlation_id": "BENRUNBI3JCPPLFFRZTQA6XWIZ",
      "create_time": "2026-05-29T18:36:31Z",
			"diff": {
				"new_value": {
					"acl": 15730674,
					"aclDescription": [
						"manage",
						"reveal-password",
						"read-item",
						"update-item",
						"create-item",
						"archive-item",
						"delete-item",
						"view-item-history",
						"send-item"
					]
				},
				"old_value": {
					"acl": 15730672,
					"aclDescription": [
						"read-item"
					]
				},
				"type": "user-vault-access-change"
			},
      "insert_time": "2026-05-29T18:36:31.883698939Z",
      "targets": [
        {
          "payload": {
						"type": "U",
						"typeDescription": "user-created",
            "id": "lc5fqgbrcm4plajd8mwncv2b3u"
          },
					"type": "vault"
        },
				{
					"payload": {
						"email": "wendyappleseed+1@1password.com",
						"name": "Wendy Appleseed",
						"id": "OYBARQG5SNEFZHGYT4NDXCHGNI"
					},
					"type": "user"
				}
			],
      "id": "A5K6COGVRVEJXJW3XQZGS7VAMM"
		}
  ],
  "next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0"
}
```

If the response body is empty, try adjusting your `start_time` and `end_time` parameters.

If there are more events available than can be returned in a single response, the beta endpoint returns an opaque `next_page_token` at the top level of the response. To request the next page of results, pass the `next_page_token` value in the `page_token` query parameter. For example:

```shell theme={null}
curl --request GET \
  --url "$BASE_URL/api/v3/auditevents?page_token=eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0" \
  --header "Authorization: Bearer $EVENTS_API_TOKEN"
```

You can continue calling the endpoint with each `next_page_token` value that gets returned until the response no longer includes a token.

Learn more about [pagination](/events-api/beta/about-v3-beta#pagination) and [continuous polling](/events-api/beta/about-v3-beta#continuous-polling) in the beta API.

## Step 4: Test the beta endpoint

After you’ve confirmed your Events API integration is working, you can test the beta `/api/v3/auditevents` endpoint with your SIEM.

<Warning>
  The v3 beta endpoint is stable for testing, but it's possible changes could be made during the beta that will break integrations.

  We don't recommend the beta for production use, but we do encourage beta testers to use the v3 beta endpoint alongside the v2 production version and provide feedback. You can also use the [Events API beta roadmap and changelog](/events-api/beta/roadmap) to track changes.
</Warning>
