> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mobileboost.io/llms.txt
> Use this file to discover all available pages before exploring further.

# List audit logs

> Retrieve your organisation’s audit log events as a paginated, cursor-based stream. This endpoint is intended for SIEM ingestion, such as a Splunk REST or modular input. Poll with `since=<next_cursor>` from the previous response to fetch only new events.

Audit logging must be enabled for your organisation. If audit logging is not enabled, the endpoint returns `403`. The organisation is derived from the API key which can be created in your organisations account.

Set the `Accept` header to `application/x-ndjson` to receive newline-delimited JSON instead of a single JSON object. In this mode, the next cursor is returned in the `X-Next-Cursor` response header rather than in a response field.



## OpenAPI

````yaml /openapi.json get /audit/logs
openapi: 3.0.2
info:
  title: MobileBoost API
  version: 1.0.0
servers:
  - url: https://api.mobileboost.io
security:
  - BearerAuth: []
paths:
  /audit/logs:
    get:
      summary: List audit logs
      description: >-
        Retrieve your organisation’s audit log events as a paginated,
        cursor-based stream. This endpoint is intended for SIEM ingestion, such
        as a Splunk REST or modular input. Poll with `since=<next_cursor>` from
        the previous response to fetch only new events.


        Audit logging must be enabled for your organisation. If audit logging is
        not enabled, the endpoint returns `403`. The organisation is derived
        from the API key which can be created in your organisations account.


        Set the `Accept` header to `application/x-ndjson` to receive
        newline-delimited JSON instead of a single JSON object. In this mode,
        the next cursor is returned in the `X-Next-Cursor` response header
        rather than in a response field.
      operationId: get_audit_logs
      parameters:
        - required: false
          schema:
            title: Since
            type: string
          name: since
          in: query
          description: >-
            Cursor: the `next_cursor` value from the previous response. Omit to
            start from the beginning of the retained log.
        - required: false
          schema:
            title: Limit
            type: integer
            default: 100
            minimum: 1
            maximum: 1000
          name: limit
          in: query
          description: Maximum number of events to return (1-1000).
        - required: false
          schema:
            title: Event Type
            type: string
          name: event_type
          in: query
          description: >-
            Exact match on `event_type` (e.g. `test.updated`,
            `login.succeeded`).
        - required: false
          schema:
            title: From
            type: string
            format: date-time
            example: '2026-06-01T00:00:00Z'
          name: from
          in: query
          description: ISO-8601 lower bound (inclusive) on `created_at`.
        - required: false
          schema:
            title: To
            type: string
            format: date-time
          name: to
          in: query
          description: ISO-8601 upper bound (inclusive) on `created_at`.
        - required: false
          schema:
            title: Actor
            type: string
          name: actor
          in: query
          description: Substring match against the acting user's `uid` or `email`.
      responses:
        '200':
          description: Successful response
          content:
            application/json:
              schema:
                type: object
                properties:
                  logs:
                    type: array
                    items:
                      $ref: '#/components/schemas/AuditLogEntry'
                    description: Audit events, ordered oldest to newest.
                  next_cursor:
                    type: string
                    nullable: true
                    description: >-
                      Pass as `since` to fetch the next page. `null` when the
                      current page wasn't full (no more events yet).
              example:
                logs:
                  - seq: 2026-06-26T12:00:00.000000+00:00#aB3xY
                    timestamp: '2026-06-26T12:00:00.000Z'
                    created_at: '2026-06-26T12:00:00.000000+00:00'
                    org_id: org_abc
                    event_type: test.updated
                    action: update
                    actor:
                      uid: u_123
                      email: jane@example.com
                    target:
                      type: test
                      id: abc123
                      name: Login flow
                    changes:
                      - field: commands
                        old: Tap Log in
                        new: Tap Sign in
                    source: backend
                    metadata: {}
                next_cursor: 2026-06-26T12:00:00.000000+00:00#aB3xY
            application/x-ndjson:
              schema:
                type: string
                description: >-
                  Newline-delimited JSON — one AuditLogEntry object per line.
                  The next cursor is returned via the `X-Next-Cursor` response
                  header instead of an in-body field.
        '403':
          description: >-
            Audit logging is not enabled for this organisation, or the API key's
            scope isn't permitted to call this endpoint.
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
              example:
                error: audit logging is not enabled for this organisation
components:
  schemas:
    AuditLogEntry:
      type: object
      description: A single canonical audit event.
      properties:
        seq:
          type: string
          description: >-
            Monotonic ordering key (`created_at` + a doc-id tiebreak). Use this
            as the `since` cursor.
        timestamp:
          type: string
          format: date-time
          description: >-
            When the audited event occurred (defaults to `created_at` if not
            supplied by the producer).
        created_at:
          type: string
          format: date-time
          description: >-
            When the audit record was written; the field `from`/`to` filter
            against.
        org_id:
          type: string
          description: Your organisation ID (always matches the API key's organisation).
        event_type:
          type: string
          description: >-
            Dotted event taxonomy, e.g. `test.updated`, `login.succeeded`,
            `member.role_changed`, `api_key.created`.
        action:
          type: string
          description: One of `create`, `update`, `delete`, `login`.
        actor:
          type: object
          description: >-
            Who performed the action. System-originated writes use a `uid` like
            `api:uploadBuild` or `webhook:githubApp`.
          properties:
            uid:
              type: string
            email:
              type: string
              nullable: true
            ip:
              type: string
              nullable: true
            user_agent:
              type: string
              nullable: true
        target:
          type: object
          description: What was acted on.
          properties:
            type:
              type: string
            id:
              type: string
            name:
              type: string
              nullable: true
        changes:
          type: array
          description: >-
            Field-level diffs for update events (empty for pure events like
            logins). Sensitive fields are recorded as a salted hash (`{"masked":
            true, "hash": "..."}`) instead of plaintext.
          items:
            type: object
            properties:
              field:
                type: string
              old: {}
              new: {}
        source:
          type: string
          description: >-
            Producer of the event: `cloud_function`, `backend`, or
            `client_reported`.
        metadata:
          type: object
          description: Additional event-specific context.
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer

````