Querying events
Callmaxi/get-audit-events to retrieve audit log entries. You can filter by category, specific event name, or a timestamp to narrow results.
Parameters:
| Parameter | Type | Description |
|---|---|---|
category | string | Filter by event category (see categories below) |
event | string | Filter by specific event name |
since | string | Return only events after this timestamp (Y-m-d H:i:s) |
Example: all content mutations
Example: license events only
Example: events since a specific time
Response format
Each audit log entry has the following fields:| Field | Description |
|---|---|
id | Unique entry ID |
ts | Timestamp of the event |
category | Event category (e.g. content, key, oauth) |
event | Specific event name (e.g. content_created, rotated) |
actor_id | WordPress user ID of the user who triggered the event |
subject | The object the event relates to (e.g. a post ID, a client ID) |
context | Additional structured data specific to the event type |
Example response entry
Event categories
content — content mutations
content — content mutations
Records every change to posts, pages, and custom post types.
| Event | Description | Context fields |
|---|---|---|
content_created | New post or page created | post_type |
content_updated | Post or page updated | updated_fields (array of changed field keys) |
content_deleted | Post or page deleted or trashed | force (true = permanent delete, false = trash) |
content_duplicated | Post or page duplicated | source_id (original post ID) |
status_changed | Post status changed | from, to |
content_scheduled | Post scheduled for future publication | date |
author_changed | Post author changed | from, to (user IDs) |
parent_changed | Post parent changed | from, to (post IDs) |
key — API key events
key — API key events
Records all AI provider credential activity.
Both events include the provider name in
| Event | Description |
|---|---|
rotated | A provider key was successfully rotated |
validation_failed | A rotation attempt failed the live validation test |
context.license — license lifecycle
license — license lifecycle
Records license activation and deactivation events.
| Event | Description |
|---|---|
activated | License activated successfully |
activation_failed | License activation attempt failed |
deactivated | License deactivated |
oauth — OAuth token lifecycle
oauth — OAuth token lifecycle
Records every stage of the OAuth 2.1 flow — client registration, authorization, token issuance, and revocation.
Token validation failures with
| Event | Description | Context fields |
|---|---|---|
client_registered | A new OAuth client registered via DCR | auth_method, redirect_uris_count, client_name, ip. Subject: client_id |
code_issued | Authorization code minted | user_id, scopes, resource, path |
token_issued | Access and refresh token pair issued | user_id, grant_type, scopes |
token_refreshed | Token pair rotated | |
token_revoked | Token invalidated | token_type_hint |
token_validation_failed | Bearer token rejected | reason. Subject: masked first-8 chars of token |
reason: unknown_or_expired_or_revoked are worth monitoring — repeated failures may indicate a misconfigured client or a stolen token replay attempt.notes — notes activity
notes — notes activity
Records significant note lifecycle events.
wp_cli — WP-CLI command execution
wp_cli — WP-CLI command execution
Records every WP-CLI command attempted via
maxi/run-wp-cli, including rejected commands and the rejection reason.email — email sends
email — email sends
Records every email sent via
maxi/send-email. Includes recipient, subject, and from identity. The email body is not logged.data_masking — masking list changes
data_masking — masking list changes
Records additions and removals from the GDPR data masking field list managed via
maxi/manage-mask-fields.rules — ability rule events
rules — ability rule events
Records rule-related events, including blocked ability calls and rule sync operations.