Activity Log & SIEM Integration

Monitor workspace activity, export events, and connect external security tools.

← Back to Enterprise Guide

What is the Activity Log?

The Activity Log gives workspace admins a chronological record of security-relevant events in their workspace, along with who performed each action, when, and from where.

You can browse activity directly in the admin dashboard, export it to CSV for ad-hoc review, or stream it into your SIEM via a pollable JSON API for long-term retention and alerting.

What gets logged

Every event captures:

  • Who performed the action (name, email, user ID)
  • When it happened
  • The IP address and country of origin
  • All relevant transfer details at the time of the event

For the full list of supported event types and their schemas, see the API reference below.

Viewing activity in the dashboard

Navigate to Workspace Settings → Activity Log to see the live activity feed.

Filtering events

Use the dropdown filters to narrow down the event list:

  • Event type — show only specific event types (e.g. "Transfer created")
  • Member — show only events from a specific team member

Viewing event details

Click on any event to open the detail view, which shows all information captured at the time of the event — including transfer settings, IP address, and country.

Exporting to CSV

Click Export CSV to download events from any date range (up to 1 month). The CSV includes: event ID, timestamp, event type, actor email, transfer ID, IP address, country code, and the full event data.

Connecting a SIEM integration

You can connect external SIEM tools — such as Splunk — to automatically poll your workspace's activity events.

Read the Splunk setup guide →

Step 1: Generate an API token

  1. Go to Workspace Settings → Activity Log
  2. In the API Tokens section at the top of the page, click Generate new token
  3. Choose an expiration time, or select "Token never expires"
  4. Click Generate token
  5. Copy the token from the list to use in your SIEM configuration

Step 2: Copy the endpoint URL

Use this endpoint URL:

https://wetransfer.com/api/external/v1/activity-events

Step 3: Configure your SIEM

Use the token and endpoint URL to set up a polling integration in your SIEM tool. The integration must:

  • Poll the endpoint at regular intervals. 1 minute is a good default for SIEM use; anything between 1 and 5 minutes is reasonable depending on how fresh you need the data (the API allows up to 60 requests per minute per token — see Rate limiting below).
  • On the first run, pass since=<current_time> in ISO 8601 format to start from now, or omit it to backfill all available history (up to 1 year).
  • Include the token in the Authorization header: Authorization: Bearer <your-token>
  • Save the next_cursor from each response and pass it as the after parameter in the next request.
  • If has_more is true, fetch the next page immediately before waiting.
  • On a 429 response, honor the Retry-After header (in seconds) before retrying.

Step 4: Verify events are arriving

After configuring your SIEM, create a test transfer on your workspace. Events typically become available via the API within a few seconds of the action and should appear in your SIEM on the next poll. If an event hasn't arrived after a minute, check that the token is active, that no event_type filter is excluding it, and that the polling job is using the latest next_cursor.

Managing API tokens

All active tokens are listed in the API Tokens section, showing:

  • Token value
  • Expiration date (or "No expiration")
  • Whether the token is active or expired

Click the trash icon next to any token to revoke it. This immediately prevents any SIEM integration using that token from accessing your events.

Rotating a token without downtime

When rotating credentials (scheduled rotation, or after a suspected exposure):

  1. Generate a new token
  2. Update your SIEM configuration to use the new token
  3. Confirm the new token is in use — its last_used_at timestamp will update within a polling cycle
  4. Revoke the old token

API reference

Endpoint

GET https://wetransfer.com/api/external/v1/activity-events
Authorization: Bearer <your-token>

Parameters

ParameterRequiredDescription
afterNoCursor from a previous response for pagination
limitNoNumber of events per page (1–100, default 50)
event_typeNoFilter by event type. Allowed values: transfer_created, transfer_deleted, transfer_downloaded, transfer_previewed
sinceNoOnly events after this time (ISO 8601)
untilNoOnly events before this time (ISO 8601)

Response format

{
  "events": [
    {
      "event_id": "cf2a4ece6e2164b01f351671881a153e",
      "event_type": "transfer_created",
      "actor_email": "user@company.com",
      "actor_id": "email|adroit|3f8d2e1a-5b22-40aa-95d1-5f831b8d9f42",
      "ip_address": "203.0.113.42",
      "country_code": "NL",
      "target": { "type": "transfer", "id": "transfer-id" },
      "data": { "transfer_name": "Project files", "..." },
      "created_at": "2026-04-15T10:00:00Z"
    }
  ],
  "next_cursor": "opaque-cursor-string",
  "has_more": true
}

Events are returned in ascending created_at order (oldest first), with event_id as a stable tie-breaker. This ordering is guaranteed across pages, so you can safely stream events to your SIEM as they arrive.

Event-specific data fields

The data object shape depends on the event_type. Common fields like actor_name, transfer_name, short_url, and transfer_owner_email appear on every event. Type-specific fields:

Event typeAdditional fields in data
transfer_createdfile_count, file_size, message, recipients, expiry_date, view_option, access_control, password_protected, allow_comments, allow_favorites, edits_allowed, transfer_type
transfer_deleted(common fields only)
transfer_downloadeddownload_type (one of single_file, multiple_files, entire_transfer), file_ids
transfer_previewed(common fields only)

Rate limiting

The API allows 60 requests per minute per token. If you exceed this limit, you'll receive a 429 response with a Retry-After header indicating how many seconds to wait.

Error responses

All errors return a consistent JSON body with a machine-readable code, a human-readable message, and a request_id useful when contacting support:

{
  "error": {
    "code": "token_invalid",
    "message": "Invalid or expired token.",
    "request_id": "dae749c0542e1a59eb107290a3185a5c"
  }
}
StatusCodeMeaning
400invalid_cursorThe after cursor is malformed
400invalid_timestampsince or until is not a valid ISO 8601 timestamp
401token_requiredMissing or non-Bearer Authorization header
401token_invalidToken is invalid, expired, or revoked
403plan_not_eligibleActivity API is available on Enterprise Custom Contract plans. Contact your account manager to enable it.
429rate_limit_exceededMore than 60 requests in the last minute. Wait the number of seconds in the Retry-After header before retrying.
503service_unavailableToken validation is temporarily unavailable. Retry with backoff.

Frequently asked questions

Can I get events for deleted transfers?

Yes. Events are self-contained — all transfer details are captured at the time of the event and remain available even after the transfer is deleted.

What happens if my SIEM goes offline?

When your SIEM comes back online, it resumes from where it left off using the saved cursor. No events are lost.

Can I have multiple API tokens?

Yes. You can generate multiple tokens, for example one per SIEM integration.

Who can manage API tokens?

Only workspace admins can generate, view, and revoke API tokens.