> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maxicore.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Querying the Maxi AI Core audit log for site activity

> Every content mutation, license event, API key rotation, and OAuth token action is recorded. Query the log by category, event name, or timestamp.

Maxi AI Core records all significant actions in an append-only audit log. Every content mutation, license activation, AI provider key rotation, OAuth token event, email send, and data masking change leaves a permanent entry you can query at any time. Use the audit log to review what agents have done, investigate unexpected behavior, and verify that your security controls are working as expected.

<Tip>
  Query the audit log regularly — not just when something goes wrong. Unexpected patterns (content created at unusual times, repeated token validation failures, unrecognized OAuth clients) are easier to catch early.
</Tip>

## Querying events

Call `maxi/get-audit-events` to retrieve audit log entries. You can filter by category, specific event name, or a timestamp to narrow results.

**Parameters:**

| Parameter  | Type   | Description                                             |
| ---------- | ------ | ------------------------------------------------------- |
| `category` | string | Filter by event category (see categories below)         |
| `event`    | string | Filter by specific event name                           |
| `since`    | string | Return only events after this timestamp (`Y-m-d H:i:s`) |

### Example: all content mutations

```json theme={null}
{
  "category": "content"
}
```

### Example: license events only

```json theme={null}
{
  "category": "license"
}
```

### Example: events since a specific time

```json theme={null}
{
  "category": "oauth",
  "since": "2025-01-01 00:00:00"
}
```

## Response format

Each audit log entry has the following fields:

| Field      | Description                                                   |
| ---------- | ------------------------------------------------------------- |
| `id`       | Unique entry ID                                               |
| `ts`       | Timestamp of the event                                        |
| `category` | Event category (e.g. `content`, `key`, `oauth`)               |
| `event`    | Specific event name (e.g. `content_created`, `rotated`)       |
| `actor_id` | WordPress user ID of the user who triggered the event         |
| `subject`  | The object the event relates to (e.g. a post ID, a client ID) |
| `context`  | Additional structured data specific to the event type         |

### Example response entry

```json theme={null}
{
  "id": 1042,
  "ts": "2025-05-10 14:23:07",
  "category": "content",
  "event": "content_created",
  "actor_id": 5,
  "subject": "post:312",
  "context": {
    "post_type": "post"
  }
}
```

## Event categories

<AccordionGroup>
  <Accordion title="content — content mutations">
    Records every change to posts, pages, and custom post types.

    | Event                | Description                           | Context fields                                   |
    | -------------------- | ------------------------------------- | ------------------------------------------------ |
    | `content_created`    | New post or page created              | `post_type`                                      |
    | `content_updated`    | Post or page updated                  | `updated_fields` (array of changed field keys)   |
    | `content_deleted`    | Post or page deleted or trashed       | `force` (true = permanent delete, false = trash) |
    | `content_duplicated` | Post or page duplicated               | `source_id` (original post ID)                   |
    | `status_changed`     | Post status changed                   | `from`, `to`                                     |
    | `content_scheduled`  | Post scheduled for future publication | `date`                                           |
    | `author_changed`     | Post author changed                   | `from`, `to` (user IDs)                          |
    | `parent_changed`     | Post parent changed                   | `from`, `to` (post IDs)                          |

    ```json theme={null}
    { "category": "content" }
    ```
  </Accordion>

  <Accordion title="key — API key events">
    Records all AI provider credential activity.

    | Event               | Description                                        |
    | ------------------- | -------------------------------------------------- |
    | `rotated`           | A provider key was successfully rotated            |
    | `validation_failed` | A rotation attempt failed the live validation test |

    Both events include the provider name in `context`.

    ```json theme={null}
    { "category": "key" }
    ```
  </Accordion>

  <Accordion title="license — license lifecycle">
    Records license activation and deactivation events.

    | Event               | Description                       |
    | ------------------- | --------------------------------- |
    | `activated`         | License activated successfully    |
    | `activation_failed` | License activation attempt failed |
    | `deactivated`       | License deactivated               |

    ```json theme={null}
    { "category": "license" }
    ```
  </Accordion>

  <Accordion title="oauth — OAuth token lifecycle">
    Records every stage of the OAuth 2.1 flow — client registration, authorization, token issuance, and revocation.

    | Event                     | Description                           | Context fields                                                                  |
    | ------------------------- | ------------------------------------- | ------------------------------------------------------------------------------- |
    | `client_registered`       | A new OAuth client registered via DCR | `auth_method`, `redirect_uris_count`, `client_name`, `ip`. Subject: `client_id` |
    | `code_issued`             | Authorization code minted             | `user_id`, `scopes`, `resource`, `path`                                         |
    | `token_issued`            | Access and refresh token pair issued  | `user_id`, `grant_type`, `scopes`                                               |
    | `token_refreshed`         | Token pair rotated                    |                                                                                 |
    | `token_revoked`           | Token invalidated                     | `token_type_hint`                                                               |
    | `token_validation_failed` | Bearer token rejected                 | `reason`. Subject: masked first-8 chars of token                                |

    ```json theme={null}
    { "category": "oauth" }
    ```

    Token validation failures with `reason: unknown_or_expired_or_revoked` are worth monitoring — repeated failures may indicate a misconfigured client or a stolen token replay attempt.
  </Accordion>

  <Accordion title="notes — notes activity">
    Records significant note lifecycle events.

    ```json theme={null}
    { "category": "notes" }
    ```
  </Accordion>

  <Accordion title="wp_cli — WP-CLI command execution">
    Records every WP-CLI command attempted via `maxi/run-wp-cli`, including rejected commands and the rejection reason.

    ```json theme={null}
    { "category": "wp_cli" }
    ```
  </Accordion>

  <Accordion title="email — email sends">
    Records every email sent via `maxi/send-email`. Includes recipient, subject, and from identity. The email body is not logged.

    ```json theme={null}
    { "category": "email" }
    ```
  </Accordion>

  <Accordion title="data_masking — masking list changes">
    Records additions and removals from the GDPR data masking field list managed via `maxi/manage-mask-fields`.

    ```json theme={null}
    { "category": "data_masking" }
    ```
  </Accordion>

  <Accordion title="rules — ability rule events">
    Records rule-related events, including blocked ability calls and rule sync operations.

    ```json theme={null}
    { "category": "rules" }
    ```
  </Accordion>
</AccordionGroup>

## Audit log integrity

The audit log is append-only. Each entry is recorded with a tamper-evident hash incorporating prior entries — modifying historical records breaks the chain from that point forward. Query the log regularly and investigate any unexpected gaps or patterns in the recorded events.
