Audit event schema
Every MCP tool call through Wicket writes an audit entry — whether allowed or denied. Entries are visible in the dashboard Audit tab and queryable via the REST API.
Entry fields
| Field | Type | Description |
|---|---|---|
id | string | Unique entry ID |
timestamp | ISO 8601 | When the decision was made |
agentId | string | Agent UUID |
agentName | string | Agent display name |
memberId | string | Agent member UUID |
memberName | string | Member’s email or display name |
memberKeyId | string | Key record ID (not the key itself) |
sessionId | string | MCP session ID, if applicable |
service | string | Connector: github, slack, linear, etc. |
tool | string | Tool name: e.g. search_repositories |
action | string | Cedar action URI: e.g. GitHubMCP::Action::"search_repositories" |
resource | string | Cedar resource the action targeted |
callerIp | string | IP address the call originated from. Not redacted — visible to all members |
toolArgs | object | Arguments passed to the tool (may be redacted) |
decision | ALLOW | DENY | Proxy verdict |
reason | string | Human-readable explanation of the decision |
matchedPolicyIds | string[] | Policy keys that matched this call |
matchedPolicyNames | string[] | Human-readable names of matched policies |
durationMs | number | Total proxy time in milliseconds, including upstream |
principal | string | Cedar principal string used for evaluation |
Querying audit logs
GET /api/audit?service=github&result=DENY&limit=50Query parameters
| Parameter | Type | Description |
|---|---|---|
from | ISO date | Start of time range (inclusive) |
to | ISO date | End of time range (inclusive) |
agent | string | Substring match on agent name (case-insensitive) |
service | string | Exact connector key — github, slack, … |
tool | string | Substring match on tool name (case-insensitive) |
result | ALLOW | DENY | Filter by decision |
member | string | Exact member ID (the memberId UUID from an entry) — not an email |
policy | string | Exact policy database ID (the policyId UUID from an entry) — not the policy key |
limit | number | Max results (default: 500, max: 500) |
offset | number | Pagination offset |
The member and policy filters take internal IDs, not human-friendly values — there is no email or policy-key lookup. In the dashboard this is automatic: clicking a member or a matched policy in the Audit view fills the right ID for you. To filter by ID directly, read memberId / policyId off any entry first (or list members via GET /api/audit/members).
Export
Use the dedicated CSV export endpoint with the same filters:
GET /api/audit/export?from=2026-01-01&to=2026-01-31&result=DENYAdd exportAll=true with max (up to 500) and page with offset for bulk pulls. Columns: timestamp, agent, member, tool, service, resource, decision, reason, duration, and matched policy identifiers. Note that callerIp is currently not included in the CSV export.
On trusted agents, exports for non-owner members redact policy identities — the same visibility rule the dashboard applies.
Example entry
{ "id": "aev_01j9xk...", "timestamp": "2026-05-19T14:32:01.123Z", "agentId": "a1b2c3d4-...", "agentName": "my-first-agent", "memberId": "m9z8y7x6-...", "memberName": "alice@example.com", "service": "github", "tool": "search_repositories", "action": "GitHubMCP::Action::\"search_repositories\"", "decision": "ALLOW", "reason": "No forbid policy matched", "matchedPolicyIds": [], "matchedPolicyNames": [], "durationMs": 312}