> ## Documentation Index
> Fetch the complete documentation index at: https://api-docs.select.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Export audit logs

> Append-only, oldest-first stream of audit log records, designed for continuous polling (e.g. SIEM export). Records are immutable once written.

## How to poll

Page with `page_token`, and drain every poll until `page_token` is `null`:

1. **First run** — call with no `page_token`. Optionally set `changed_at__gte` to a start date to skip old history.
2. **Drain** — keep re-requesting with the `page_token` from the previous response until the response returns `page_token: null` (you are caught up).
3. **Persist** the last non-null `page_token` you received.
4. **Next poll** — resume from that stored `page_token`. It continues strictly after the last record you ingested, so every new record is delivered exactly once.

> **Do not build your own cursor from `changed_at`.** Bulk operations can stamp thousands of records with the exact same `changed_at`. A client that computes its next request from `max(changed_at)` will re-receive duplicates and, if a single-timestamp cluster is larger than `max_results`, loop forever and never advance past it. Always page with `page_token`.



## OpenAPI

````yaml https://api.select.dev/v2/openapi.json get /audit-logs
openapi: 3.1.0
info:
  title: SELECT API (v2)
  version: 0.1.0
servers:
  - url: https://api.select.dev/v2
    description: SELECT API v2
security: []
paths:
  /audit-logs:
    get:
      tags:
        - audit-logs
      summary: Export audit logs
      description: >-
        Append-only, oldest-first stream of audit log records, designed for
        continuous polling (e.g. SIEM export). Records are immutable once
        written.


        ## How to poll


        Page with `page_token`, and drain every poll until `page_token` is
        `null`:


        1. **First run** — call with no `page_token`. Optionally set
        `changed_at__gte` to a start date to skip old history.

        2. **Drain** — keep re-requesting with the `page_token` from the
        previous response until the response returns `page_token: null` (you are
        caught up).

        3. **Persist** the last non-null `page_token` you received.

        4. **Next poll** — resume from that stored `page_token`. It continues
        strictly after the last record you ingested, so every new record is
        delivered exactly once.


        > **Do not build your own cursor from `changed_at`.** Bulk operations
        can stamp thousands of records with the exact same `changed_at`. A
        client that computes its next request from `max(changed_at)` will
        re-receive duplicates and, if a single-timestamp cluster is larger than
        `max_results`, loop forever and never advance past it. Always page with
        `page_token`.
      operationId: list_audit_logs_audit_logs_get
      parameters:
        - name: max_results
          in: query
          required: false
          schema:
            type: integer
            description: Maximum number of records to return (1–500).
            default: 50
            title: Max Results
          description: Maximum number of records to return (1–500).
        - name: changed_at__gte
          in: query
          required: false
          schema:
            anyOf:
              - type: string
                format: date-time
              - type: 'null'
            description: >-
              Only return records changed at or after this RFC 3339 timestamp.
              Use it to resume polling from the last `changed_at` you ingested
              (dedupe by `id`, since the bound is inclusive).
            title: Changed At  Gte
          description: >-
            Only return records changed at or after this RFC 3339 timestamp. Use
            it to resume polling from the last `changed_at` you ingested (dedupe
            by `id`, since the bound is inclusive).
        - name: page_token
          in: query
          required: false
          schema:
            anyOf:
              - type: string
              - type: 'null'
            description: Opaque cursor from a previous response. Omit on the first call.
            title: Page Token
          description: Opaque cursor from a previous response. Omit on the first call.
        - name: x-tenant-id
          in: header
          required: true
          schema:
            type: string
            description: The organization ID the request is scoped to.
            title: X-Tenant-Id
          description: The organization ID the request is scoped to.
      responses:
        '200':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ListResponse_ExportAuditLog_'
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
      security:
        - HTTPBearer: []
components:
  schemas:
    ListResponse_ExportAuditLog_:
      properties:
        items:
          items:
            $ref: '#/components/schemas/ExportAuditLog'
          type: array
          title: Items
        page_token:
          anyOf:
            - type: string
            - type: 'null'
          title: Page Token
          description: Opaque cursor for the next page; empty/absent on the last page.
        row_count:
          anyOf:
            - type: integer
            - type: 'null'
          title: Row Count
          description: >-
            Best-effort total for the filtered result set; may be null when
            expensive.
      type: object
      required:
        - items
      title: ListResponse[ExportAuditLog]
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    ExportAuditLog:
      properties:
        id:
          type: string
          title: Id
          description: The unique identifier of the audit log record.
        table_name:
          anyOf:
            - type: string
            - type: 'null'
          title: Table Name
          description: >-
            The table whose record was changed. Null for event-driven records,
            which set `eventType` instead.
        event_type:
          anyOf:
            - type: string
            - type: 'null'
          title: Event Type
          description: >-
            The kind of event for records with no backing table (e.g. `users`,
            `invitation`, `session`). Null for table-backed records, which set
            `tableName` instead. Exactly one of `tableName` / `eventType` is
            set.
        record_id:
          type: string
          title: Record Id
          description: The id of the changed record.
        operation:
          type: string
          enum:
            - insert
            - update
            - delete
          title: Operation
          description: 'The operation performed: insert, update, or delete.'
        changed_by:
          type: string
          title: Changed By
          description: Who made the change (user email or API key name).
        changed_at:
          type: string
          title: Changed At
          description: When the change occurred — RFC 3339 UTC, e.g. 2026-06-05T10:30:00Z.
        updates:
          items:
            $ref: '#/components/schemas/ExportAuditFieldUpdate'
          type: array
          title: Updates
          description: The list of field changes captured for this record.
      type: object
      required:
        - id
        - record_id
        - operation
        - changed_by
        - changed_at
        - updates
      title: ExportAuditLog
      description: A single audit log record, slimmed for export.
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
    ExportAuditFieldUpdate:
      properties:
        field:
          type: string
          title: Field
          description: The name of the field that changed.
        old_value:
          title: Old Value
          description: The value before the change.
        new_value:
          title: New Value
          description: The value after the change.
      type: object
      required:
        - field
        - old_value
        - new_value
      title: ExportAuditFieldUpdate
      description: A single field change, slimmed for export (drops UI label + raw values).
  securitySchemes:
    HTTPBearer:
      type: http
      description: Organization API key (sl_…).
      scheme: bearer

````