Data model

Audit event

Append-only audit log for GDPR + dispute evidence. Who changed what and when. One row per mutation / login attempt / email send.

Model name: audit_event

Endpoints: 2

Max page size: 200

Fields

Per-field validation rules. Values that violate any constraint are rejected with 400 before they reach the database.

Field	Type	Constraints
ip	`string`	max length`64`
action	`string`	max length`64`
details	`dict`	-
actor_id		max length`64`
category	`enum`	enum`mutation \| auth \| email \| ai \| system`
entity_id	`string`	max length`64`
user_agent	`string`	max length`500`
actor_label	`string`	max length`200`
entity_type	`string`	max length`64`
occurred_at	`string`	max length`32`
entity_label	`string`	max length`200`

Mutability

Which fields can you send, and when? Anything without a marker is server-managed - sending it isn't an error, it's silently ignored.

Create-only - read from POST body.Patchable - read from PATCH body.Server-managed - ignored on the body.

Field	Type	Create	Patch
ip	string
action	string
details	dict
actor_id	string
category	enum
entity_id	string
user_agent	string
actor_label	string
entity_type	string
occurred_at	string
entity_label	string

Fields marked create-only but not patchable are immutable after creation. Server-managed fields include id, timestamps, ownership, and status.

Filtering & sorting

Combinable on list endpoints. Repeating a filter key produces an IN clause; prefixing a sort key with - reverses direction. Example: ?status=open&status=blocked&sort=-created_at.

Filter keys

categorydata__category

actor_iddata__actor_id

entity_typedata__entity_type

entity_iddata__entity_id

actiondata__action

created_atcreated_at

owned_byowned_by

created_bycreated_by

Sort keys

created_atcreated_at

occurred_atdata__occurred_at

categorydata__category

Default: created_at

Endpoints

Each endpoint below lists its HTTP method, path, and the PAT scope it needs. Code samples cover curl, JavaScript, TypeScript, Python, Rust, Java, and WebSocket.

GET/xapi2/data/audit_eventaudit_event:list

List objects

Returns a paginated list of objects you can read. Default page size is 20; pass ?limit= to change (capped per type). Use ?after=<id> for keyset pagination on created_at-sorted lists, or ?offset= for offset paging.

curl -H "Authorization: Bearer pat_…" \
     "https://ki-bewerber-management.de/xapi2/data/audit_event?limit=20"

GET/xapi2/data/audit_event/{id}audit_event:read

Read one

Returns the object by id. 404 if it does not exist or you cannot read it (the two cases are intentionally conflated).

curl -H "Authorization: Bearer pat_…" \
     https://ki-bewerber-management.de/xapi2/data/audit_event/OBJECT_ID

Use in CLI

The same endpoints are also exposed via the KI BMS CLI. For scripts, CI, and bulk imports it's usually the faster path.

atscli audit_event list --limit 5
atscli audit_event get <id>
atscli audit_event schema   # fields & limits

Full command reference, profiles, CSV import, auto-retry, NDJSON streaming → /docs/cli