Skip to content
MCP Gateway

Search tool, policy, session, credential, API adapter, and admin audit events.

POST
/v1/audit/search

Request IDs are optional filters. Actor identity is derived from auth context; clients must not send actor_id.

Authorizations

Section titled “Authorizations ”

Request Body required

Section titled “Request Body required ”
object
tenant_id
string
>= 1 characters
environment_id
string
>= 1 characters
user_id
string
agent_id
string
server_id
string
tool_id
string
client_surface_id
string
client_session_id
string
backend_session_id
string
request_id

Optional request-chain filter.

string
>= 1 characters
outcome
Allowed values: succeeded denied failed
event_type
string
policy_decision
Allowed values: allow deny block error
credential_resolution_status
Allowed values: not_required resolved missing denied disabled revoked expired backend_unavailable
connector_id
string
route_reason
string
/^[a-z0-9_]+$/
time_range
object
from
string format: date-time
to
string format: date-time
page
integer
>= 1
page_size
integer
>= 1 <= 500
limit
integer
>= 1 <= 500

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Search results with safe audit metadata only.

object
schema_version
required
page
required
integer
>= 1
page_size
required
integer
>= 1 <= 500
total_count
required
integer
total_pages
required
integer
>= 1
facets
required
object
event_type
required
Array<object>
object
value
required
string
count
required
integer
outcome
required
Array<object>
object
value
required
string
count
required
integer
server_id
required
Array<object>
object
value
required
string
count
required
integer
tool_id
required
Array<object>
object
value
required
string
count
required
integer
policy_decision
required
Array<object>
object
value
required
string
count
required
integer
credential_resolution_status
required
Array<object>
object
value
required
string
count
required
integer
route_reason
required
Array<object>
object
value
required
string
count
required
integer
environment_id
required
Array<object>
object
value
required
string
count
required
integer
items
required
Array<object>
object
event_id
required
string
>= 1 characters
timestamp
required
string format: date-time
event_type
required
string
>= 1 characters
outcome
required
Allowed values: succeeded denied failed
tenant_id
required
string
>= 1 characters
environment_id
required
string
>= 1 characters
server_id
required
string | null
tool_id
required
string | null
request_id
required
string
>= 1 characters
actor_id
required
string | null
user_id
required
string | null
agent_id
required
string | null
agent_instance_id
required
string | null
client_surface_id
required
string
>= 1 characters
client_session_id
required
string | null
backend_session_id
required
string | null
policy_decision
required
Allowed values: allow deny block error
policy_reason
required
string | null
policy_rule_id
required
string | null
policy_ref
required
string | null
policy_version
required
string
>= 1 characters
denial_reason_code
required
string | null
/^[a-z0-9_]+$/
reason_code
string | null
/^[a-z0-9_]+$/
reason_label_snapshot
string | null
reason_catalog_version
string | null
reason
string | null
<= 500 characters
credential_mode
required
string
Allowed values: none service_account user_delegated agent_scoped workload_mapped
credential_binding_id
required
string | null
credential_resolution_status
required
Any of:
Allowed values: not_required resolved missing denied disabled revoked expired backend_unavailable
connector_id
required
string | null
route_decision
required
Any of:
Allowed values: allow deny
route_reason
required
string | null
/^[a-z0-9_]+$/
upstream_attempted
required
boolean
latency_ms
required
integer | null
redaction_status
required
Allowed values: disabled redacted none
payload_logged
required
boolean
secret_material_logged
required

403

Section titled “403 ”

Caller lacks audit.read for the scoped tenant/environment.

Type set in Geist, Source Serif 4, and Departure Mono.