Export audit logs
Append-only, oldest-first stream of audit log records, designed for continuous polling (e.g. SIEM export). Records are immutable once written.
How to poll
Page with page_token, and drain every poll until page_token is null:
- First run — call with no
page_token. Optionally setchanged_at__gteto a start date to skip old history. - Drain — keep re-requesting with the
page_tokenfrom the previous response until the response returnspage_token: null(you are caught up). - Persist the last non-null
page_tokenyou received. - Next poll — resume from that stored
page_token. It continues strictly after the last record you ingested, so every new record is delivered exactly once.
Do not build your own cursor from
changed_at. Bulk operations can stamp thousands of records with the exact samechanged_at. A client that computes its next request frommax(changed_at)will re-receive duplicates and, if a single-timestamp cluster is larger thanmax_results, loop forever and never advance past it. Always page withpage_token.
Authorizations
Organization API key (sl_…).
Headers
The organization ID the request is scoped to.
Query Parameters
Maximum number of records to return (1–500).
Only return records changed at or after this RFC 3339 timestamp. Use it to resume polling from the last changed_at you ingested (dedupe by id, since the bound is inclusive).
Opaque cursor from a previous response. Omit on the first call.

