List tamper-evident audit events
Returns hash-chain audit events for the authenticated org. Events include a `prevHash` / `entryHash` linkage for integrity verification. Accepts optional filters by `entityId` and/or `entityType`.
Rensei API key. Format: rsk_live_<random>. Generated in Settings or via POST /api/org/{orgId}/keys. Used by CLI (af), daemon, and programmatic integrations.
In: header
Query Parameters
501 <= value <= 20000 <= valueResponse Body
application/json
application/json
curl -X GET "https://example.com/api/audit"{
"events": [
{
"id": "string",
"workspaceId": "string",
"sequenceNumber": 0,
"eventType": "string",
"actorId": "string",
"actorType": "string",
"entityType": "string",
"entityId": "string",
"payload": {},
"prevHash": "string",
"entryHash": "string",
"occurredAt": "2019-08-24T14:15:22Z"
}
]
}{
"error": "Session not found"
}Inbound webhook from a provider
Unified ingest endpoint for Linear, GitHub, GitHub Actions, and Vercel webhooks. Validates HMAC signature, checks idempotency, and immediately returns 200. All routing/execution is deferred via `after()`. Duplicate deliveries are detected via the gateway's idempotency layer and return `{ ok: true, duplicate: true }`. Providers register at: `POST /api/integrations/{provider}/oauth/authorize`.
Per-workspace JWKS for audit signature verification
Fully unauthenticated. Returns all Ed25519 public keys (active and revoked) for the workspace so external auditors can verify audit event signatures without Rensei systems. - Supports both `/{workspace_id}` and `/{workspace_id}.json` paths. - Unknown workspaces return `{ keys: [] }` with status 200 (no workspace-existence leakage via status code). - Caching: `public, max-age=300, stale-while-revalidate=3600` + ETag. - CORS: `access-control-allow-origin: *`.