Documentation Index
Fetch the complete documentation index at: https://docs.usebila.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The Audit Trail gives you complete visibility into everything that happens inside your account. Every login, setting change, and API request is logged — giving you a full, tamper-evident record for security reviews, compliance checks, and incident investigation.
Only a Merchant Admin can access the Audit Trail.
Step 1: Open the Audit Trail
- Click Settings at the bottom of the left sidebar.
- Select the Audit Trail tab from the top navigation bar.
The dashboard displays a chronological list of all account activity, including the timestamp, acting admin, HTTP method, endpoint accessed, and request status.
Step 2: Search and Filter Logs
Use the filters at the top of the dashboard to narrow down thousands of entries:
| Filter | How to Use |
|---|
| Search bar | Search by keyword, endpoint, or action description |
| Admin email | Filter to see all actions performed by a specific team member |
| IP address | Track activity originating from a specific device or network location |
| Date range | Set a Start date and End date to isolate a specific time window |
| HTTP method | Filter by action type — view, create, update, or delete |
For security investigations, combine Admin email with a Date range to reconstruct exactly what a specific team member did during a given period.
Step 3: Understand HTTP Methods
Every log entry includes a Method that describes the type of action performed:
| Method | Action Type | What It Means |
|---|
GET | View / Read | The user viewed information — checking a balance, loading a list, or opening a record |
POST | Create | The user added something new — creating a payment, inviting an admin, or generating an API key |
PUT | Update / Replace | The user replaced an existing setting or record entirely |
PATCH | Modify | The user made a targeted edit to part of an existing record or setting |
DELETE | Remove | The user deleted a record, API key, or team member from the system |
DELETE and PUT actions are the highest-risk entries in your audit log. Review these immediately if you notice unexpected changes to settings, team members, or API keys.
Step 4: View Detailed Log Entries
To inspect the full details of any specific action:
- Click the eye icon in the Actions column next to the log entry.
- The Audit log details side panel opens with the following sections:
Request Summary
The top of the panel shows a snapshot of the API request:
| Field | Description |
|---|
| Method badge | The HTTP method used (e.g., GET, POST, DELETE) |
| Endpoint | The full API path accessed (e.g., /api/v1/admin/merchants/{id}/sms-logs) |
| Duration | How long the request took to complete, in milliseconds |
| IP Address | The network address the request originated from |
| Timestamp | The exact date and time the action occurred |
| User Agent | The browser and operating system used (e.g., Chrome/147 on Windows 10) |
Response Body
The Response body tab shows the raw API response returned for that request — exactly what the system sent back. This is the most detailed view available for any logged action.
Each entry in the response includes:
| Field | Description |
|---|
recipient | The masked phone number the alert was sent to (e.g., +2609***000) |
event | The event type that triggered the alert (e.g., payment.received, low.balance) |
status | Delivery result — DELIVERED, SENT, QUEUED, or FAILED |
messagePreview | The exact text of the SMS that was sent or attempted |
providerRef | The mobile network’s reference ID for the message — null if the message never reached the provider |
{
"data": [
{
"recipient": "+2609***000",
"event": "payment.received",
"status": "DELIVERED",
"messagePreview": "You received ZMW 250 from 0960000001. Ref: DEP-abc123-001. Balance: ZMW 1,250.",
"providerRef": "MTN-ZM-00123456"
},
{
"recipient": "+2609***000",
"event": "low.balance",
"status": "DELIVERED",
"messagePreview": "Your Main Wallet balance is below ZMW 100.",
"providerRef": "MTN-ZM-00123457"
},
{
"recipient": "+2609***000",
"event": "payment.failed",
"status": "FAILED",
"messagePreview": "Your payment of ZMW 500 to 0970000002 could not be processed.",
"providerRef": null
},
{
"recipient": "+2609***000",
"event": "stock.low",
"status": "SENT",
"messagePreview": "Wireless Headphones stock is below 5 units.",
"providerRef": "MTN-ZM-00123458"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 4,
"totalPages": 1
}
}
| Field | Description |
|---|
page | The current page of results being viewed |
limit | Maximum number of entries returned per page |
total | Total number of matching log entries |
totalPages | Total number of pages across all results |
A providerRef of null means the message was rejected before it reached the mobile network. This is a strong signal that the recipient’s phone number is invalid or inactive — verify their contact details in Admins or Cashiers.
Location
Switch to the Location tab to see the geographic and network origin of the action:
| Field | Description |
|---|
| City | The city associated with the request’s IP address |
| Country | The country the request originated from |
| ISP | The Internet Service Provider linked to that IP address |
If you see a City, Country, or ISP that doesn’t match your team’s known locations, treat it as a potential security incident. Immediately review the admin’s account, reset their password, and consider deactivating the account while you investigate.
Security Investigation Reference
| What You See | What to Do |
|---|
DELETE action on an admin or API key you didn’t authorise | Check User Info for the acting admin and reset their credentials immediately |
POST to a payments endpoint at an unusual time | Cross-reference with Location to verify the request came from a known device |
Multiple GET requests from an unfamiliar IP | Check ISP and City — could indicate credential sharing or a compromised session |
providerRef: null on critical alerts | Verify the recipient’s phone number is correct in their profile |
| Actions from an admin who has left the business | Deactivate their account immediately via Settings → Admins |
Next Steps
