Back up and export your Auxot data

Build an honest runbook for your Auxot data and config — database backups for self-hosted installs, **Audit Logs** via API when the UI has no CSV button, and manual artifact copies (context files, directories, and instruction exports) — without pretending one button ships your whole org to a zip file.

Plus: three Admin Agent passes — inventory what must survive an org move vs what can be recreated, draft a quarterly backup drill checklist, and explain credential gaps after a Postgres restore ([Manage your Credentials](/tutorials/manage-your-credentials)).

Audience	Admins · Developers
Time	~10 min
Prerequisites	Org admin or ops responsibility for continuity. [View your audit logs](/tutorials/view-your-audit-logs) (where retention/export reality is spelled out). Self-hosted readers: [Self-host Auxot stage by stage](/tutorials/self-host-auxot-stage-by-stage). Helpful: [Create a shared Team API Key](/tutorials/create-a-team-api-key) (API pulls), [Build your agent directory](/tutorials/build-your-agent-directory) (human-readable inventory).
You'll end up with	A short internal doc listing who backs up what, how audit history leaves Auxot today, and which secrets must be re-entered after disaster — matched to what the manual actually promises.

When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.

Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.

Why this matters

Teams eventually ask: If this Auxot org vanished tomorrow, what would we lose, and what could we rebuild? The honest answer splits three ways:

Platform data: threads, jobs, events, encrypted credentials blob; lives in Postgres (and Redis for ephemeral state) on installs you operate (Self-host Auxot stage by stage); hosted Auxot still implies someone owns continuity with the vendor’s ops model.
Audit history egress: Audit Logs does not currently ship a CSV/JSON export button; long-term archive means API access with a team key or structured pulls via Admin tooling (View your audit logs).
Knowledge artifacts you already curate: context files, agent directory pages, and workflow naming conventions; should live in git/wiki anyway (Build your agent directory, Add your first context file).

Secrets you cannot magically re-download: API keys, GPU keys, and tool connector secrets show once at creation; backups recover ciphertext, not forgotten plaintext (Rotate credentials without surprising your agents).

Backups don’t happen on their own. You assign owners, you test restores.

Quick start

Classify tiers: Tier A (must survive: configs and audit trail commitments), Tier B (nice to have: directories), Tier C (recreate: experiments).
Self-hosted / VPC Auxot: put Postgres (and Redis if your DR standard demands it) on managed backup schedules; same discipline as any stateful service (Deployment stresses managed DBs for production).
Audit Logs: plan programmatic export with a team. key (Create a shared Team API Key) or Admin Agent list_events copy-outs for ad-hoc extracts (View your audit logs; Retention and export details).
Human docs: export or duplicate Settings → Context Files prose, agent descriptions, and workflow maps into your repo; Auxot is not your only manuscript store.
Restore rehearsal: annually restore Postgres to a scratch instance, confirm login, and expect to re-enter vendor credentials if AUXOT_SECRET_KEY rotated wrong (Configuration; losing the secret key impact on encrypted fields).

Done? One-page runbook with named owners, not a fantasy “Export org” menu.

The agent can do that?

1. Inventory for an acquisition / org migration

Chat → Admin Agent:

We're documenting Auxot continuity for [stay internal | divest | migrate vendor]. List buckets: Postgres/Redis operator, audit API consumer, context file canonical store, and API keys that must be minted fresh — bullets only, no legal advice.

Why it’s non-obvious: Legal and infra both ask “do we have the data?” Paste your scope, and the Admin Agent orders the buckets you still validate with ops.

2. Quarterly backup drill checklist

Draft a one-hour tabletop: verify latest Postgres backup timestamp, restore to scratch, login smoke test, and spot-check one workflow — owners per step — markdown checklist.

Why it’s non-obvious: Backups without tested restores are wishful thinking; checklist beats heroics.

3. Post-restore credential chaos

After Postgres restore from yesterday's snapshot, which Auxot surfaces still work vs which need human re-auth? Cite encrypted credential pattern — high level only.

Why it’s non-obvious: Encryption uses AUXOT_SECRET_KEY (Configuration); changing it incorrectly makes existing ciphertext unreadable. The rotation doc matters more than thinking a single export will save you.

Go deeper

Retention vs live telemetry

Audit database rows don’t currently expire; plan storage growth (View your audit logs). System Health live cards are short-window Redis-backed; don’t confuse them with archival truth (Take Auxot’s pulse in 10 seconds).

What not to trust screenshots for

GPU keys, intake Bearer tokens, and OAuth client secrets: rotate and re-record after incidents (Harden your intake webhooks, Replace an agent currently in use).

Compliance narratives

Pair this runbook with privacy reviews (Run a data privacy review before you ship); retention wording belongs in your DPIA, not only Auxot UI copy.

Tier checklist (internal wiki stub)

Tier	Includes	Owner role
A	Postgres backups, audit API job, `AUXOT_SECRET_KEY` escrow	Platform
B	Context markdown mirrors, agent directory	Team leads
C	Scratch agents	Individuals

Walkthrough

Sections: Data stores, Export paths, Secrets discipline, and Restore test date.

Step 2: Wire audit egress

Create team. automation identity → script Management API pulls per your security review (View your audit logs references API path). Store outputs in immutable SIEM bucket if required.

Step 3: Mirror knowledge

For each critical context file, ensure duplicate in git (Add your first context file); Auxot injection stays convenient, git stays canonical.

Step 4: Calendar the drill

Pick quarter → execute tabletop (power move 2).

Step 5: Update when product changes

Update your runbook if Auxot ships a UI export later; date your version.

What’s next

→ View your audit logs. Retention + export facts this lesson cites.
→ Require human approval before risky actions. Continuity is also who may approve when restored configs or agents behave differently after a drill.
→ Self-host Auxot stage by stage. Postgres/Redis placement before backup SLAs mean anything.
→ Create a shared Team API Key. Service identity for scripted audit pulls.
→ Build your agent directory. Human-readable list of your agents outside the database.
→ Run a data privacy review before you ship. Retention promises vs runbook alignment.
→ Plan for retention and deletion requests. The other side of continuity: deletion asks, backup overlap, escalation owners.

Reference

Manual: Deployment, Configuration, Security, API Reference
Pages in Auxot: Audit Logs, Settings → Context Files, Settings → Agents
See also: Connect OAuth for MCP tools, Require human approval before risky actions, Rotate credentials without surprising your agents, Run a quarterly review of your agents, Replace an agent currently in use