The ServiciosYa audit API surfaces two separate audit systems under a unified set of endpoints. The legacy system stores records inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/SERVICIOS-BACK/llms.txt
Use this file to discover all available pages before exploring further.
dbo.InsertAuditLog and is queried via the dbo.GetAuditLogs stored procedure; it tracks coarse entity-level changes as free-text old/new value strings. The PRO system writes structured events to dbo.AuditEvents with per-field change tracking in dbo.AuditChanges, rich metadata (module, action, severity, result, correlation ID, IP address), and visibility controls that allow SUPER_ADMIN to hide sensitive events from ADMIN_GENERAL users. When the PRO table is absent from the database, the PRO endpoints return empty results rather than errors, allowing zero-downtime migration.
All audit endpoints are scoped to the caller’s CompanyID claim so that ADMIN_GENERAL users can only see records belonging to their own company. SUPER_ADMIN users can query across all companies.
Authentication
| Endpoint | Required role |
|---|---|
POST /api/audit/logs | SUPER_ADMIN or ADMIN_GENERAL |
POST /api/v1/audit/events/search | SUPER_ADMIN or ADMIN_GENERAL |
GET /api/v1/audit/events/{id} | SUPER_ADMIN or ADMIN_GENERAL |
POST /api/v1/audit/{id}/hide | SUPER_ADMIN only |
POST /api/v1/audit/{id}/unhide | SUPER_ADMIN only |
POST /api/audit/logs — Query legacy audit log
Queries the legacydbo.GetAuditLogs stored procedure and returns a paginated list of AuditLogDto records. Results are always filtered to the caller’s CompanyID, which is read from the JWT claims and cannot be overridden by the request body.
Authentication: SUPER_ADMIN, ADMIN_GENERALMethod:
POSTPath:
/api/audit/logsContent-Type:
application/json
Request body
Filter by the internal user ID that performed the action.
Filter by the action type string stored in the legacy log (e.g.
"CREATE", "UPDATE").Filter by the entity type name (e.g.
"Service", "ServiceRequest").Filter by the specific entity primary key.
Inclusive start of the date range filter (local server time).
Inclusive end of the date range filter.
Free-text search applied across available text fields by the stored procedure.
1-based page number. Values below
1 are treated as 1.Records per page. Values below
1 or above 200 are clamped to 50.Response — 200 OK
Always
true for a successful response.Total number of rows matching the filters (before pagination).
The effective page number used for this response.
The effective page size used for this response.
Array of legacy audit log records.
Unique identifier of the legacy audit record.
ID of the user who performed the action.
Username looked up from
dbo.[User], enriched server-side.Company name looked up from
dbo.Company, enriched server-side.The action type string stored in the legacy log.
The entity type that was affected.
Primary key of the affected entity.
JSON-serialised snapshot of the entity’s fields before the action.
JSON-serialised snapshot of the entity’s fields after the action.
IP address of the request that triggered the audit event.
Timestamp when the audit record was written.
Legacy audit records do not support hide/unhide, per-field change detail, severity levels, or correlation IDs. Those features are only available in the PRO audit system via
/api/v1/audit/events.POST /api/v1/audit/events/search — Search PRO audit events
Searches thedbo.AuditEvents table with a rich set of filters and returns paginated results. ADMIN_GENERAL callers automatically receive only events belonging to their company and only events where IsVisibleForAdmins = 1 (i.e. not hidden by a SUPER_ADMIN). SUPER_ADMIN callers can query across all companies and see all events regardless of visibility.
Authentication: SUPER_ADMIN, ADMIN_GENERALMethod:
POSTPath:
/api/v1/audit/events/searchContent-Type:
application/json
Request body
Filter events at or after this UTC timestamp.
Filter events at or before this UTC timestamp.
Filter by the user who performed the action.
Filter by company ID.
SUPER_ADMIN only — ignored for ADMIN_GENERAL (their company is always enforced).Partial match against
UserEmail (SQL LIKE '%value%').Partial match against the company name from
dbo.Company.Exact match on the module name (e.g.
"AUTH", "PAYMENTS"). See the Actions reference table below.Exact match on the action name (e.g.
"LOGIN", "CREATE_SERVICE").Exact match on the result field (e.g.
"Success", "Failure").Exact match on the severity field (e.g.
"Info", "Warning", "Error", "Critical").SUPER_ADMIN only. Filter by visibility flag. Pass false to retrieve hidden events.Filter by the HTTP request correlation ID to find all events from a single request.
1-based page number.
Records per page. Maximum allowed value is
200.Response — 200 OK
Total matching records before pagination.
Effective page number.
Effective page size.
Page of
AuditEventDto records. See the AuditEvent fields reference below.Example
GET /api/v1/audit/events/ — Get single audit event
Retrieves the full detail of a single PRO audit event, including all field-level changes recorded indbo.AuditChanges. Access is restricted to the caller’s company for ADMIN_GENERAL. Returns 404 if the event does not exist, belongs to a different company, or is hidden from the caller’s role.
Authentication: SUPER_ADMIN, ADMIN_GENERALMethod:
GETPath:
/api/v1/audit/events/{id}
Path parameters
The unique ID of the audit event to retrieve.
Response — 200 OK
Response — 404 Not Found
Returned when the event does not exist, is outside the caller’s company scope, or (forADMIN_GENERAL) has been hidden by a SUPER_ADMIN.
Example
POST /api/v1/audit//hide — Hide an audit event
Marks an audit event as hidden by settingIsVisibleForAdmins = false, recording the acting user’s ID in HiddenByUserId and the timestamp in HiddenAtUtc. Hidden events remain fully visible to SUPER_ADMIN but are excluded from all results returned to ADMIN_GENERAL. The hide action itself is written to the audit log as a HIDE_AUDIT_EVENT event with Severity = "Warning".
Authentication: SUPER_ADMIN onlyMethod:
POSTPath:
/api/v1/audit/{id}/hide
Path parameters
The unique ID of the audit event to hide.
Response — 200 OK
Response — 404 Not Found
Returned when the event does not exist or the update affected zero rows.POST /api/v1/audit//unhide — Restore a hidden event
Reverses a previous hide by settingIsVisibleForAdmins = true and clearing HiddenByUserId and HiddenAtUtc. The action is written to the audit log as an UNHIDE_AUDIT_EVENT event with Severity = "Info". After a successful unhide, ADMIN_GENERAL users will once again see the event in search results.
Authentication: SUPER_ADMIN onlyMethod:
POSTPath:
/api/v1/audit/{id}/unhide
Path parameters
The unique ID of the audit event to restore.
Response — 200 OK
Response — 404 Not Found
Returned when the event does not exist or the update affected zero rows.AuditEvent fields reference
The following fields appear in both the search results (AuditEventDto) and the detail response (AuditEventDetailDto).
Unique identifier of the audit event in
dbo.AuditEvents.UTC timestamp when the event was written.
ID of the user who triggered the event.
null for system-generated events.Email address of the acting user at the time of the event.
JWT role claim of the acting user (e.g.
"ADMIN_GENERAL", "SUPER_ADMIN").Company the acting user belonged to.
Human-readable company name, joined from
dbo.Company.The action that was performed (e.g.
"LOGIN", "CREATE_SERVICE"). See the actions table below.Functional module that generated the event (e.g.
"AUTH", "SERVICES").The entity type affected (e.g.
"Service", "Payment").String representation of the entity’s primary key.
HTTP request correlation ID, shared by all audit events generated within the same request.
Client IP address of the originating request.
User-Agent header from the originating request.Outcome of the action. Typical values:
"Success", "Failure".Severity level:
"Info", "Warning", "Error", or "Critical".Free-text description of the event, written by the application layer.
true if the event is visible to ADMIN_GENERAL users. SUPER_ADMIN always sees all events regardless of this flag.ID of the
SUPER_ADMIN who hid this event, or null if not hidden.UTC timestamp when the event was hidden, or
null if not hidden.(Detail endpoint only.) List of
AuditChangeDto records describing per-field mutations.Unique ID of the change record in
dbo.AuditChanges.Foreign key back to
dbo.AuditEvents.Id.Name of the model property that changed.
String representation of the value before the change.
String representation of the value after the change.
Audit actions by module
The following table documents every action string that ServiciosYa writes todbo.AuditEvents.
| Module | Action | Severity (typical) | Description |
|---|---|---|---|
AUTH | LOGIN | Info | Successful user authentication. |
AUTH | REGISTER_CUSTOMER | Info | New customer portal account created. |
AUTH | REGISTER_INTERNAL | Info | New internal/staff account created. |
AUTH | CHANGE_PASSWORD | Warning | User password changed. |
AUTH | DELETE_PORTAL_USER | Warning | Portal user account deleted. |
SERVICES | CREATE_SERVICE | Info | New service catalogue entry created. |
SERVICES | UPDATE_SERVICE | Info | Existing service updated. |
SERVICES | TOGGLE_SERVICE | Info | Service enabled or disabled. |
SERVICES | DELETE_SERVICE | Warning | Service catalogue entry deleted. |
SERVICE_REQUESTS | CREATE_SERVICE_REQUEST | Info | New service request submitted. |
SERVICE_REQUESTS | UPDATE_REQUEST_STATUS | Info | Service request status changed. |
SERVICE_REQUESTS | UPLOAD_ATTACHMENT | Info | Attachment uploaded to a service request. |
SERVICE_REQUESTS | UPLOAD_INVOICE | Info | Invoice uploaded to a service request. |
SERVICE_REQUESTS | UPLOAD_DELIVERY_ATTACHMENT | Info | Delivery attachment uploaded. |
SERVICE_REQUESTS | RESOLVE_CANCELLATION_REMINDER | Info | Cancellation reminder resolved. |
SERVICE_REQUESTS | DELETE_SERVICE_REQUEST | Warning | Service request deleted. |
PAYMENTS | VALIDATE_PAYMENT | Info | Payment proof validated and accepted. |
PAYMENTS | REJECT_PAYMENT | Warning | Payment proof rejected. |
PAYMENTS | CONFIRM_REFUND | Warning | Refund confirmed for a payment. |
UPLOADS | UPLOAD_PAYMENT_PROOF | Info | Payment proof file uploaded. |
AUDIT | HIDE_AUDIT_EVENT | Warning | A SUPER_ADMIN hid an audit event. |
AUDIT | UNHIDE_AUDIT_EVENT | Info | A SUPER_ADMIN restored a hidden audit event. |
Audit write behaviour
Audit events are written via
IAuditEventService.TryWriteAsync. This method is fire-and-forget by design: it catches and swallows all exceptions so that an audit write failure never causes a user-facing operation to fail or return an error. If the dbo.AuditEvents table does not exist, writes silently no-op. Check application logs for [AuditEventService]-prefixed warning messages if events appear to be missing.