Workspace Audit Logs provide administrators with visibility into security-related activity across their workspace. They enable organizations to monitor access, track configuration changes, and integrate with external security and compliance tools. Currently, audit logs can only be delivered via webhook, and require an Enterprise+ subscription.

What are Workspace Audit Logs?

Workspace Audit Logs capture a structured stream of events that reflect activity within your workspace. These logs help teams:

Monitor user authentication and access changes
Track workspace and team permission updates
Audit integrations and configuration changes
Support security reviews and compliance requirements

Audit logs follow the Open Cybersecurity Schema Framework (OCSF), a standardized, platform-agnostic schema designed for security event data. This makes it easier to integrate with SIEM platforms and other security tools without requiring custom transformation.

What events are included?

Audit logs include key security and administrative events within the workspace, such as:

Authentication activity (logins, logouts, password resets, email verification)
Account status changes (deactivation, reactivation, deletion)
Authorization changes (meeting report access for users and groups)
Integration activity (enabling and disabling for workspace, users connecting and disconnecting)
Workspace administration actions (user invites, additions, removals, settings changes)

To protect privacy, audit logs do not include user-generated content (such as meeting transcripts or search queries).

For a complete and detailed list of all audit log events and their corresponding OCSF classes, see Workspace Audit Logs: Event Types and Schema.

Who can access audit logs?

Workspace Audit Logs can only be enabled and configured by workspace admins and owners.

Once a webhook is configured and audit log data is being delivered, Read does not store or control that data. It is your responsibility to ensure that your endpoint and any downstream storage systems handle this data securely and in accordance with your organization’s policies.

As a security best practice, you should also verify incoming webhook requests to confirm that audit log payloads are genuinely sent by Read and have not been tampered with in transit.

How to enable Workspace Audit Logs

Go to Integrations > Workspace > Audit Log Webhook
Click “Create webhook”
Enter a name and your endpoint URL (HTTPS required)
Click “Create webhook” to confirm
Copy the signing key to use later for verification

Data will start to flow automatically once the webhook is created.

Webhook delivery

Audit logs are delivered via webhook to a destination you configure.

Logs are batched and sent approximately every 5 minutes
Delivered in JSON Lines (JSONL) format
Includes a test option to validate your configuration
Supports request signing for verification
Automatically retries failed deliveries (up to 5 retries)

Because data is batched, each webhook delivery may include multiple log events. Webhooks will not trigger when there has been no activity.

Data and privacy considerations

Logs are limited to workspace-related activity only
Activity involving external users may be partially redacted
No user content (messages, transcripts, search queries) is included
Access to configuration is restricted to workspace admins

Why use Workspace Audit Logs?

Workspace Audit Logs are especially useful for:

Security monitoring and incident investigation
Compliance and audit requirements
Tracking access and permission changes over time
Integrating with SIEM platforms or internal security systems

Notes

Audit logs are disabled by default and must be enabled by an admin
For a complete list of all audit log events see Workspace Audit Logs: Event Types and Schema.
Audit logging is only available on the Enterprise+ plan

If you need help setting up your webhook endpoint or validating deliveries, please contact support.