#Data Exports
Client Admins can request, track, cancel, and download account-level data exports from /settings?section=data-exports. The browser talks only to portal BFF routes under /api/account-exports; those route handlers enforce the current session and client_admin role, then forward the user's server-side bearer token to aidial_api. Browser-supplied X-API-Key headers are not forwarded.
Non-admin sessions and out-of-scope export IDs receive non-enumerating not-found responses. Create and cancel requests are CSRF protected.
#Supported Export Categories
- Users
- Configuration summaries
- Audit events
- Support tickets
The current account export feature is separate from the calls CSV export. Calls remain exported from the Calls page.
#Portal Routes
| Portal Route | Purpose |
|---|---|
GET /api/account-exports/catalog | Load supported categories and limits |
GET /api/account-exports | List tenant-scoped export jobs, with optional status/page filters |
POST /api/account-exports | Queue a new export request |
GET /api/account-exports/{jobId} | Read job status and metadata without the artifact payload |
POST /api/account-exports/{jobId}/cancel | Cancel a queued or running job |
GET /api/account-exports/{jobId}/download | Stream the completed JSON artifact with attachment and no-store headers |
#Limits
- 3 accepted export requests per user in a rolling 24-hour window
- 10 accepted export requests per tenant in a rolling 24-hour window
- 1 queued or running export per user and tenant
- Completed artifacts are downloadable for 7 days
#Statuses
| Status | Meaning |
|---|---|
| Queued | The request has been accepted and is waiting to run |
| Running | The export is being generated |
| Completed | The artifact is ready before its expiry time |
| Failed | The export could not be generated safely |
| Cancelled | A queued or running export was cancelled |
| Expired | The download window has closed; history remains visible |
#Download Rules
Downloads are rechecked against current tenant access, role, category permission, and redaction policy. If access has changed since the artifact was generated, the download is blocked and a new export is required.
Exports include a manifest with selected categories, read timestamps, row counts, policy digests, expiry time, and checksum. The checksum is calculated over canonical artifact JSON with the manifest checksum field blanked before hashing. The artifact excludes raw transcripts, raw phone numbers, secrets, API keys, bearer tokens, secret-management references, encrypted fields, storage internals, and raw configuration files. Spreadsheet formula-leading values are neutralised.
#Audit Evidence
Request, blocked request, completion, failure, cancellation, download, and expiry outcomes are written to the tenant audit log with safe metadata.