Audit log
The audit log page gives you a complete, time-ordered record of every change made in your Port organization. Use it to understand who did what, when, and whether it succeeded - whether you are troubleshooting a broken integration, investigating an unexpected change, or meeting compliance requirements.
This applies to AI agents too: when an agent triggers a workflow, the run appears in the Runs tab exactly like a human-triggered run, with the same Source, Type, and Status detail. Every agent-invoked run is attributed to the identity behind it (a user or service account) and is fully auditable alongside human-triggered activity.
Tracked resources
The audit log is organized into tabs, each covering a different type of resource. Every create, update, or delete operation on the following resources generates a log entry:
| Tab | What is tracked |
|---|---|
| Entities | Creation, updates, and deletion of catalog entities across all blueprints. |
| Blueprints | Changes to blueprint definitions and their permissions. |
| Actions | Changes to self-service action definitions and their permissions. |
| Automations | Changes to automation definitions. |
| Scorecards | Changes to scorecard definitions. |
| Runs | Execution records for self-service action and automation runs, including runs triggered by an AI agent (for example, a workflow invoked through the Port MCP server). |
| Integrations | Integration lifecycle events such as installation, configuration changes, and removal. |
| Secrets | Creation, updates, and deletion of Port secrets. |
In addition to explicit user and API operations, log entries are also created when Port's automation engine or a timer property triggers a change. These entries appear with the appropriate source indicator.
Log entry fields
Each row in the table represents one audit event. The columns shown depend on the active tab - for example, the Entities tab shows a Blueprint and an Entity column, while the Integrations tab shows an Integration column instead.
The following columns appear across all tabs:
| Column | Description |
|---|---|
| Date | The timestamp of the event, in your local timezone. |
| Source | Who or what triggered the change. This can be a specific user (shown with their name or email), an integration, or a webhook. |
| Operation | The type of change: Create, Update, Delete, or Timer Expired. |
| Type | The origin system that performed the change. See source types below. |
| Status | Whether the operation succeeded or failed. |
| Error | If the operation failed, a short description of the error. |
The Entities tab includes one additional column:
| Column | Description |
|---|---|
| Run ID | If the entity change was triggered by a self-service action run, this links directly to that run. |
Source types
The Type column identifies which system or integration performed the change. Possible values include:
UI- a change made directly through Port's user interface.API- a change made via Port's REST API (for example, from a CI/CD pipeline, a script, or an AI agent invoking a workflow through the Port MCP server).WEBHOOK- a change triggered by an incoming webhook.K8S EXPORTER- a change synced from the Kubernetes exporter.GITHUB EXPORTER/BITBUCKET EXPORTER/GITLAB EXPORTER- a change synced from a Git exporter.GITHUB GITOPS/BITBUCKET GITOPS- a change synced via GitOps.GH ACTION- a change triggered from a GitHub Actions workflow.AWS EXPORTER- a change synced from the AWS exporter.TERRAFORM- a change applied using Port's Terraform provider.PULUMI- a change applied using Port's Pulumi provider.CODEFRESH- a change triggered from a Codefresh pipeline.AGGREGATION PROPERTY- a change computed by an aggregation property recalculation.PORT AUTOMATION- a change triggered by Port's automation engine.PORT INTERNAL- a change performed by Port's internal systems.
Viewing change details
Each log entry can be expanded to view a diff showing the exact state of the resource before and after the change. Click the expand icon at the left edge of a row to open the diff view.
The diff is not available for entries that represent read-only events or entries where Port did not capture a before/after snapshot.
Filtering and sorting
The audit log table supports standard table controls:
- Sort by any column by clicking the column header.
- Filter rows by clicking the filter icon in the table header and adding filter rules.
- Hide or reorder columns using the column settings.
Access control
The audit log page is accessible only to admin users. Admins can reach it via the Builder > Audit log menu in the sidebar.
Non-admin users cannot access the audit log page, but they can view the history of their own action runs:
- Click My inbox in the sidebar.
- In the modal that opens, select the Runs tab.
- The list shows all action runs initiated by the current user, along with their status and audit details.
Limitations
The audit log page displays the last 1,000 entries.
To query beyond this limit or run automated queries, use the API.
Data retention
Audit log entries are retained for 90 days by default. Entries older than 90 days are automatically removed.
Sign-in and account access logs are retained for 30 days. For more details on Port's data retention policies, see Security & compliance.
Querying via the API
You can retrieve audit log entries programmatically using Port's REST API.
For the full parameter reference and available filters, see Get audit logs.