Skip to main content
Beta
This API reference documents the latest version of the 1Password Events API beta specifications (3.0.0). Learn more about the beta API.
Retrieve v3 (version 3) audit events for actions performed by team members within a 1Password account.
MethodEndpoint URL
GET<base_url>/api/v3/auditevents
You can use this endpoint to determine who performed an action and when, like when a team member edits an item’s password or invites another team member to a shared vault.

Make a request

Request header

To make a request to the /api/v3/auditevents endpoint, you’ll need to use the Authorization header with a bearer token scoped to access audit events. 
Authorization: Bearer YOUR_BEARER_TOKEN

Query parameters

You can optionally use any of the following query parameters in your request:
  • page_size: Specify the number of events records to return per page, between 1 and 1000.
  • start_time: The date and time from which to start retrieving events.
  • end_time: The date and time to stop retrieving events.
  • next_page_token: Add a cursor token from a previous response to go to the next page of results.
See the query parameters schema for more details.

Example requests

Example request with page size and start and end time parameters: 
curl --request GET \
  --url https://events.1password.com/api/v3/auditevents?page_size=50&start_time=2026-01-01T00:00:00Z&end_time=2026-01-13T17:30:00Z \
  --header 'Authorization: Bearer YOUR_BEARER_TOKEN'
Example request that includes a token to return the next page of events: 
curl --request GET \
  --url "https://events.1password.com/api/v3/auditevents?next_page_token=aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK" \
  --header "Authorization: Bearer YOUR_BEARER_TOKEN"

Receive a response

A successful response will include a subset of events matching your query parameters (if any exist), along with pagination metadata that indicates if there are more results (true or false). If true, the response will include a token you can use to request subsequent pages of events. If the response is successful but there aren’t any events for the parameters you requested, the audit_events array will be empty ([]).

HTTP status code

Every request returns an HTTP status code that indicates if the response was successful or there was a problem.

Response headers

The response may also include one or more of the following RateLimit response headers, as defined by the IETF standards :
  • Content-Type: application/json
  • RateLimit-Limit
  • Ratelimit-Remaining
  • RateLimit-Reset
  • Retry-After (only in responses with a 429 Too Many Requests error)
You can use the --include flag in your request to view the HTTP status code and your remaining rate limit in the response. For example: 
curl --include --request GET...

Example responses

A successful 200 response returns an array of AuditEventsResponse objects with the following high-level structure: 
{
  "data": {
    "audit_events": [
      {
        "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
        "timestamp": "2025-01-01T00:00:00Z",
        "context": { /* Context object */ },
        "actor": { /* Actor object */ },
        "category": "vault",
        "action": "vault.vault-item.update",
        "targets": [ /* Entity objects */ ]
      }
    ]
  },
  "meta": {
    "next_page_token": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK",
    "has_more": true
  }
}
Below is an example of a successful response that shows one event (a user edited an item in a shared vault). It includes response headers and metadata with a token to fetch the next page of results. 
HTTP/2 200
content-type: application/json
ratelimit-limit: 600
ratelimit-remaining: 599
ratelimit-reset: 1767735927
date: Tue, 13 Jan 2026 17:30:52 GMT

{
  "data": {
    "audit_events": [
      {
        "action": "vault.vault-item.update",
        "actor": {
          "email": "wendy_appleseed@agilebits.com",
          "name": "Wendy Appleseed",
          "type": "user",
          "uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V"
        },
        "category": "vault",
        "context": {
          "account": {
            "name": "AgileBits",
            "uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM"
          },
          "client": {
            "name": "1Password Extension",
            "version": "81118003"
          },
          "device": {
            "model": "142.0.7444.23",
            "uuid": "katnz37usfc5i67fqekylwmcde"
          },
          "location": {
            "city": "Toronto",
            "country": "Canada",
            "ip_address": "192.0.2.254",
            "latitude": 43.5991,
            "longitude": -79.4988,
            "region": "Ontario"
          },
          "origin": "Admin Console",
					"os": {
						"name": "MacOSX",
						"version": "15.7.1"
						"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Safari/605.1.15"
					},
          "session": {
            "login_time": "2025-11-13T18:52:10.706588504Z",
            "uuid": "X6TARAEE2NGKFLMK5POQBZ4U2Q"
          }
        },
        "targets": [
          {
            "payload": {
              "type": "P",
              "uuid": "lc5fqgbrcm4plajd8mwncv2b3u"
            },
            "type": "vault"
          }
        ],
        "timestamp": "2026-01-01T19:01:20.110679321Z",
        "uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM"
      }
		]
	},
	"meta": {
    "has_more": true,
    "next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0"
	}
}
Example response headers when the rate limit of 600 requests per minute has been exceeded: 
HTTP/1.1 429 Too Many Requests
content-type: application/json
ratelimit-limit: 600
ratelimit-remaining: 0
ratelimit-reset: 1768325512
retry-after: 60
date: Tue, 13 Jan 2026 17:30:52 GMT

Request schemas

Query parameters

NameTypeRequiredDescription
page_sizeintegerNoMaximum number of events records to return per page, from 1 to 1000. If the page_size parameter isn’t include, the default of 100 will be used.
next_page_tokenstringNoOpaque cursor token identifying the next page of results to retrieve. Do not use the start_time or end_time parameters with the next_page_token. Doing so will result in a 400 bad request error.
start_timestring (date-time)NoThe earliest timestamp (inclusive) from which to retrieve events. Invalid if next_page_token is specified. Uses the RFC 3339 standard .
end_timestring (date-time)NoThe latest timestamp (inclusive) for which to retrieve events. Invalid if next_page_token is specified. Uses the RFC 3339 standard .

Response schemas

Rate limit headers

HeaderTypeRequiredDescription
RateLimit-LimitintegerNoThe request quota for the associated client in the current time window.
RateLimit-RemainingintegerNoThe remaining request quota for the associated client.
RateLimit-ResetintegerNoUnix timestamp that indicates the number of seconds until the request quota is reset for the associated client.
Retry-AfterintegerNoNumber of seconds until the request quota is reset for the associated client. Only included in responses with the 429 Too Many Requests rate limit error.

AuditEventsResponse object

FieldTypeRequiredDescription
dataobjectYesContainer for the audit event data.
data.audit_eventsarrayYesArray of AuditEvent objects.
metaobjectYesPagination metadata for the response that can be used in subsequent requests.
meta.next_page_tokenstringNoOpaque token used to retrieve the next page of results. Should be included in subsequent requests until has_more is false.
meta.has_morebooleanYesIndicates if additional pages of results are available for retrieval (true) or not (false).

AuditEventsResponse: AuditEvent object

FieldTypeRequiredDescription
uuidstringYesUnique identifier for the audit event.
timestampstring (date-time)YesThe date and time when the event occurred. Uses the RFC 3339 standard .
contextobjectYesA Context object containing information about how the event was initiated.
actorobjectYesAn Actor object describing who initiated the event.
categorystringYesHigh-level category of the event (for example, report).
actionstringYesSpecific action taken (for example, report.view).
targetsarrayYesArray of Entity objects that describe what was affected.

AuditEventsResponse: Account object

FieldTypeRequiredDescription
uuidstringYesUUID of the account.
namestringYesName of the account.
statestringYesState of the account (for example, A).
typestringYesType of the account (for example, B).
domainstringYesDomain associated with the account (for example, 1password.com).

AuditEventsResponse: Actor object

FieldTypeRequiredDescription
typestringYesThe type of actor (for example, user).
uuidstringYesUUID of the actor.
namestringNoDisplay name of the actor, if available.
emailstringNoEmail address of the actor, if available.
linked_accountobjectNoAn Account object describing a related account, if any.

AuditEventsResponse: Client object

FieldTypeRequiredDescription
namestringYesName of the client that was used.
versionstringYesVersion of the client that was used.

AuditEventsResponse: Context object

FieldTypeRequiredDescription
accountobjectYesA ContextAccount object describing the account associated with the event.
originstringYesThe application or interface where the event occurred (for example, password_manager).
sessionobjectNoA Session object describing the session in which the event occurred.
locationobjectYesA Location object describing where the event originated.
deviceobjectNoA Device object describing the device used to initiate the event.
clientobjectNoA Client object describing the 1Password client used (app or integration).
osobjectNoAn OS object describing the operating system.

AuditEventsResponse: ContextAccount object

FieldTypeRequiredDescription
uuidstringYesUUID of the account.
namestringYesName of the account.

AuditEventsResponse: Device object

FieldTypeRequiredDescription
uuidstringYesUUID of the device.
modelstringYesModel of the device.

AuditEventsResponse: Entity object

FieldTypeRequiredDescription
typestringYesType of entity affected by a given event. An entity may contain a number of additional properties specific to its type. For example: report, user, or other resource types.
payloadobjectYesAdditional properties describing the entity.

AuditEventsResponse: Location object

FieldTypeRequiredDescription
ip_addressstringYesIP address from which the event originated.
countrystringNoCountry associated with the IP address.
regionstringNoRegion associated with the IP address.
citystringNoCity associated with the IP address.
latitudenumberNoLatitude of the location.
longitudenumberNoLongitude of the location.

AuditEventsResponse: OS object

FieldTypeRequiredDescription
namestringYesName of the operating system that was used.
versionstringYesVersion of the operating system that was used.
userAgentstringNoInformation about the operating system, such as software identification and environment details.

AuditEventsResponse: Session object

FieldTypeRequiredDescription
uuidstringYesUUID of the session.
login_timestring (date-time)YesTime when the session was created.

ErrorResponse object

FieldTypeRequiredDescription
ErrorobjectNoAn Error object containing the error message.

ErrorResponse: Error object

FieldTypeRequiredDescription
MessagestringNoAn error message.