> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Get data and analytics for your 1Password account

> Learn more about 1Password tools that can help you generate account activity reports, send event data to your security and analytics tools, and trigger account access remediation.

Knowing how your team uses 1Password — who's signing in from where, what items are being accessed, and when admin settings change — is essential for security investigations, compliance reviews, and day-to-day account management. 1Password gives administrators several ways to access this activity data, from logs and reports available on 1Password.com to APIs that send events to your security and analytics tools or take action on user accounts.

## Choose your workflow

Use the table below to decide which tools best suit your use case:

|                    | [Audit log and reports](#audit-log-and-reports)                                              | [1Password Events API](#1password-events-api)                                                      | [1Password Users API](#1password-users-api-public-preview)                            |
| ------------------ | -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
| **Best for**       | Reviewing activity and exporting reports on 1Password.com                                    | Sending 1Password activity to a SIEM or analytics platform                                         | Letting a SOAR or security automation platform act on user accounts                   |
| **What you get**   | Audit log, sign-in attempts, user adoption, device, team, usage, and overview reports        | Audit events, item usage events, and sign-in attempts                                              | List users, get user details, suspend users, and reactivate users                     |
| **When to use it** | You want quick access to account information and CSV exports without building an integration | You want centralized dashboards, alerts, correlation, or longer-term retention in your own tooling | You want an approved integration to take user access remediation actions in 1Password |
| **Setup**          | Just sign in to your 1Password account — no integration required                             | Create an Events Reporting integration and issue a bearer token                                    | Create an OAuth application and generate client credentials                           |

## Audit log and reports

Gain visibility into the last 12 months of activities directly in your team's 1Password Business account without needing to set up an integration.

### Use the audit log

You can access the audit log from the [audit log](https://start.1password.com/audit-log) section in your 1Password account. [Use the audit log](https://support.1password.com/activity-log/) to:

* Search and filter sign-in attempts, item usage, and admin actions.
* Track actions across users, groups, vaults, devices, service accounts, reports, and more to see who did what and when.
* Export the filtered results as a CSV for auditors or further analysis.

### Create reports

Generate reports from the [Reports](https://start.1password.com/reports) section in your 1Password account. You can [create reports](https://support.1password.com/reports/) to help you:

* Monitor security issues in your account, like data breaches involving team members or company email addresses.
* Get detailed usage information for individual team members, service accounts, and vaults, including which items were accessed and when.
* See active users, item access patterns, and sign-in attempts across your account.
* Navigate compliance reviews, access audits, and offboarding checks.

<CardGroup cols={2}>
  <Card title="Use the audit log" href="https://support.1password.com/activity-log/" icon="list-timeline">
    Search activity in your 1Password Business account and export results as CSV.
  </Card>

  <Card title="Create reports" href="https://support.1password.com/reports/" icon="chart-line">
    Generate reports for users, service accounts, vault activity, item usage, and more.
  </Card>
</CardGroup>

## 1Password Events API

Use the [1Password Events API](/events-api) to retrieve activity from your 1Password Business account and send it to your security and analytics tools, so it can be reviewed and correlated alongside the rest of your environment.

The Events API includes detailed information about the following types of account activity:

* **[Audit events](/events-api/audit-events)** for actions performed by team members involving vaults, groups, users, permissions, SSO configuration, service accounts, and more.
* **[Item usage](/events-api/item-usage-actions)** in shared vaults, like when and where items are viewed, copied, filled, revealed, exported, shared, or edited.
* **[Sign-in attempts](/events-api/reference/sign-in-attempt)** for successful and failed sign-ins, including details about the client app, IP address, geolocation, and the reason for any failures (such as bad credentials, failed MFA, or firewall blocks).

It's easy to connect your 1Password account to your security information event management (SIEM) platform using a [pre-built connector](https://support.1password.com/events-reporting/), like the [Splunk](https://support.1password.com/events-reporting-splunk/) or [Elastic](https://support.1password.com/events-reporting-elastic/) integrations. Or build your own custom connector using the [Events API reference](/events-api/reference).

<Note>
  The Events API can access the last 120 days of account activity. For events older than 120 days, you can [use the audit log](#use-the-audit-log) in your 1Password account.
</Note>

<CardGroup cols={2}>
  <Card title="Get started with the Events API" href="/events-api/get-started" icon="rocket">
    Set up an Events Reporting integration in your 1Password Business account.
  </Card>

  <Card title="Pre-built SIEM connectors" href="https://support.1password.com/events-reporting/" icon="plug">
    See which platforms have built-in 1Password integrations.
  </Card>

  <Card title="Audit events catalog" href="/events-api/audit-events" icon="clipboard-list">
    Every audit action and object type the API can return, organized by category.
  </Card>

  <Card title="Item usage actions" href="/events-api/item-usage-actions" icon="key">
    What each item usage action means and which client triggered it.
  </Card>

  <Card title="Events API reference" href="/events-api/reference" icon="gear-api">
    Endpoint details for audit events, item usage, and sign-in attempts.
  </Card>
</CardGroup>

## 1Password Users API (Public Preview)

Use the [1Password Users API for Partners](/users-api) (public preview) to create an integration between your 1Password Business account and your preferred security automation platform. Then use the integration to take actions on user accounts in response to events reporting data or SIEM-detected events, such as automatically suspending a user directly in 1Password when suspicious sign-in events are flagged.

With the Users API, you can:

* **[List users](/users-api/list-users)** in your account, optionally filtered to active or suspended users, to build inventories or pick targets for action.
* **[Get a user](/users-api/get-user)** by ID to retrieve their display name, email, and current state (active or suspended).
* **[Suspend a user](/users-api/suspend-user)** to remove their 1Password account access during offboarding or incident response.
* **[Reactivate a user](/users-api/reactivate-user)** after the issue is resolved or onboarding is completed.

It's easy to connect your 1Password account to your security automation platforms using a [pre-built partner integration](https://support.1password.com/security-automation/). Or build a custom integration using the [Users API reference](/users-api/reference).

The Users API uses the [OAuth 2.0 client credentials flow](/users-api/authorization) with [scoped permissions](/users-api/authorization#scopes), so each integration only has the access it needs. Access tokens are short-lived and can be [revoked](/users-api/revoke-access-token) at any time.

<CardGroup cols={2}>
  <Card title="Get started with the Users API" href="/users-api/get-started" icon="rocket">
    Create an OAuth application and make your first request.
  </Card>

  <Card title="Pre-built partner integrations" href="https://support.1password.com/security-automation/" icon="puzzle-piece">
    Security automation platforms that already work with the Users API.
  </Card>

  <Card title="About the Users API" href="/users-api/about-users-api" icon="circle-info">
    Endpoint paths, request methods, headers, pagination, and rate limits.
  </Card>

  <Card title="Users API reference" href="/users-api/reference" icon="gear-api">
    Endpoint details for OAuth tokens and user actions.
  </Card>
</CardGroup>