Every mutating operation in the ServiciosYa API — logins, registrations, service changes, payment validations, file uploads — automatically fires an audit event. No extra work is required from the calling client. TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/SERVICIOS-BACK/llms.txt
Use this file to discover all available pages before exploring further.
AuditEventService.TryWriteAsync method is called at the end of each controller action and internally by stored procedures, ensuring a complete trail of who did what, when, and from which IP address.
The platform runs two complementary audit systems side by side:
- Legacy — rows written by the
dbo.InsertAuditLogstored procedure directly from within SQL stored procedures, queryable viaPOST /api/audit/logs. - PRO — structured rows written by
AuditEventServiceintodbo.AuditEventsanddbo.AuditChanges, queryable viaPOST /api/v1/audit/events/searchandGET /api/v1/audit/events/{id}.
TryWriteAsync is designed to be fault-tolerant. It wraps every database write in a try/catch and logs a warning on failure instead of throwing. An audit failure will never block or roll back the business operation that triggered it.The default data retention for audit events is controlled by the
AuditRetentionDays application setting (default: 90 days). Records older than this threshold can be purged during scheduled maintenance without affecting the operational system.PRO Audit System
AuditEvents table
Thedbo.AuditEvents table (created by 2026-04-27_audit_pro_and_diagnostics.sql) stores one row per audited operation with the following fields:
| Field | Type | Description |
|---|---|---|
Id | BIGINT | Auto-increment primary key |
TimestampUtc | DATETIME2 | UTC timestamp of the event |
UserId | INT (nullable) | ID of the acting user, or null for anonymous actions |
UserEmail | NVARCHAR(256) | Email or username of the acting user |
Role | NVARCHAR(100) | Role of the acting user at the time of the event |
CompanyId | INT (nullable) | Tenant identifier |
Action | NVARCHAR(100) | Action code (e.g. LOGIN, CREATE_SERVICE) |
Module | NVARCHAR(100) | Functional area (e.g. AUTH, PAYMENTS) |
EntityName | NVARCHAR(100) | Table or domain object affected |
EntityId | NVARCHAR(100) | Identifier of the affected entity |
CorrelationId | UNIQUEIDENTIFIER | Request-scoped correlation ID for tracing |
IpAddress | NVARCHAR(64) | Client IP address |
UserAgent | NVARCHAR(512) | HTTP User-Agent header value |
Result | NVARCHAR(20) | Success or Fail |
Severity | NVARCHAR(20) | Info, Warning, Error, or Critical |
Message | NVARCHAR(500) | Human-readable description of the event |
IsVisibleForAdmins | BIT | Whether ADMIN_GENERAL can see this event (default 1) |
HiddenByUserId | INT (nullable) | User who hid the event (set by hide/unhide operations) |
HiddenAtUtc | DATETIME2 (nullable) | UTC timestamp when the event was hidden |
AuditChanges table
Field-level diffs are stored indbo.AuditChanges, linked to dbo.AuditEvents by AuditEventId:
| Field | Type | Description |
|---|---|---|
Id | BIGINT | Auto-increment primary key |
AuditEventId | BIGINT | Foreign key to dbo.AuditEvents |
FieldName | NVARCHAR(128) | Name of the changed field |
OldValue | NVARCHAR(MAX) | Value before the change (nullable) |
NewValue | NVARCHAR(MAX) | Value after the change (nullable) |
Values containing the words
password, token, or authorization (case-insensitive) are automatically replaced with [REDACTED] before being written to AuditChanges. Values longer than 4,000 characters are truncated.Querying PRO Audit Events
Search events
Endpoint:POST /api/v1/audit/events/searchAuth:
SUPER_ADMIN or ADMIN_GENERAL
SUPER_ADMIN can search across all companies and see all events including hidden ones. ADMIN_GENERAL sees only events belonging to their own company that have IsVisibleForAdmins = 1.
Request body
pageSize is clamped to a maximum of 200.
Response 200 OK
Get a single event with field-level changes
Endpoint:GET /api/v1/audit/events/{id}Auth:
SUPER_ADMIN or ADMIN_GENERAL
200 OK — includes a changes array with per-field diffs:
Managing Event Visibility
SUPER_ADMIN can hide sensitive events from ADMIN_GENERAL users without deleting them.
Hide an event
Endpoint:POST /api/v1/audit/{id}/hideAuth:
SUPER_ADMIN only
IsVisibleForAdmins = 0, records HiddenByUserId and HiddenAtUtc. Returns { "message": "Evento ocultado." }.
Unhide an event
Endpoint:POST /api/v1/audit/{id}/unhideAuth:
SUPER_ADMIN only
IsVisibleForAdmins = 1 and clears HiddenByUserId and HiddenAtUtc. Returns { "message": "Evento restaurado." }.
Legacy Audit Logs
The legacy system predates the PRO tables and is backed by thedbo.InsertAuditLog stored procedure, which is called directly from within every core stored procedure (Auth_Login, CreateService, CreateServiceRequest, etc.).
Endpoint: POST /api/audit/logsAuth:
SUPER_ADMIN or ADMIN_GENERAL
Request body (all fields optional)
200 OK
The response is wrapped in an envelope with a success flag. The data object is a paginated result:
username and companyName are resolved by joining dbo.[User] and dbo.Company respectively, so the raw stored values (numeric IDs) are translated into human-readable labels.
Legacy audit entries do not support the hide/unhide operations or field-level
changes arrays. Those features are exclusive to the PRO system. If the dbo.AuditEvents table does not yet exist (i.e. migration 2026-04-27_audit_pro_and_diagnostics.sql has not been run), PRO endpoints return empty paginated results instead of an error.Complete list of audited actions
The following table lists everyAction value currently written by the API, along with its module and the event that triggers it.
| Action | Module | Trigger |
|---|---|---|
LOGIN | AUTH | Successful or failed login attempt |
REGISTER_CUSTOMER | AUTH | Self-registration via POST /api/auth/register |
REGISTER_INTERNAL | AUTH | Internal user creation via POST /api/auth/register/internal |
CHANGE_PASSWORD | AUTH | Password change via POST /api/auth/change-password |
DELETE_PORTAL_USER | AUTH | User deactivation via DELETE /api/auth/users/{id} |
CREATE_SERVICE_REQUEST | SERVICE_REQUESTS | New service request submitted |
UPDATE_REQUEST_STATUS | SERVICE_REQUESTS | Service request status transition |
UPLOAD_ATTACHMENT | SERVICE_REQUESTS | Optional file attached to a request |
UPLOAD_INVOICE | SERVICE_REQUESTS | Invoice attached by an admin |
UPLOAD_DELIVERY_ATTACHMENT | SERVICE_REQUESTS | Delivery document attached by a gestor |
RESOLVE_CANCELLATION_REMINDER | SERVICE_REQUESTS | Cancellation reminder marked resolved |
DELETE_SERVICE_REQUEST | SERVICE_REQUESTS | Request deleted by SUPER_ADMIN |
VALIDATE_PAYMENT | PAYMENTS | Payment proof approved |
REJECT_PAYMENT | PAYMENTS | Payment proof rejected |
CONFIRM_REFUND | PAYMENTS | Refund confirmed by gestor |
UPLOAD_PAYMENT_PROOF | UPLOADS | Payment proof image uploaded |
HIDE_AUDIT_EVENT | AUDIT | Audit event hidden from admins via POST /api/v1/audit/{id}/hide |
UNHIDE_AUDIT_EVENT | AUDIT | Audit event made visible again via POST /api/v1/audit/{id}/unhide |
InsertAuditLog table:
| Action (legacy) | Stored Procedure |
|---|---|
SELF_REGISTER / REGISTER_CUSTOMER | RegisterCustomerUser |
CHANGE_PASSWORD | ChangeUserPassword |
LOGIN / LOGIN_FAILED | Auth_Login |
CREATE | CreateService |
UPDATE | UpdateService |
STATUS_CHANGE | ToggleServiceStatus |
DELETE | DeleteService |
INSERT | CreateServiceRequest, CreateServiceRequestAttachment |
UPDATE | UpdateServiceRequestStatus, ValidateServiceRequestPayment |