List audit logs
Retrieve your organisation’s audit log events as a paginated, cursor-based stream. This endpoint is intended for SIEM ingestion, such as a Splunk REST or modular input. Poll with since=<next_cursor> from the previous response to fetch only new events.
Audit logging must be enabled for your organisation. If audit logging is not enabled, the endpoint returns 403. The organisation is derived from the API key which can be created in your organisations account.
Set the Accept header to application/x-ndjson to receive newline-delimited JSON instead of a single JSON object. In this mode, the next cursor is returned in the X-Next-Cursor response header rather than in a response field.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Query Parameters
Cursor: the next_cursor value from the previous response. Omit to start from the beginning of the retained log.
Maximum number of events to return (1-1000).
1 <= x <= 1000Exact match on event_type (e.g. test.updated, login.succeeded).
ISO-8601 lower bound (inclusive) on created_at.
"2026-06-01T00:00:00Z"
ISO-8601 upper bound (inclusive) on created_at.
Substring match against the acting user's uid or email.

