Skip to main content
GET
/
organizations
/
{organization_id}
/
audit_logs
List audit logs
curl --request GET \
  --url https://api.onesignal.com/organizations/{organization_id}/audit_logs \
  --header 'Authorization: <authorization>'
{
  "audit_logs": [
    {
      "id": "a1b2c3d4-0000-0000-0000-000000000001",
      "organization_id": "YOUR_ORG_ID",
      "app_id": "YOUR_APP_ID",
      "action": "segment.created",
      "occurred_at": "2026-02-18T10:22:01Z",
      "version": 1,
      "actor": {
        "type": "user",
        "id": "u1b2c3d4-0000-0000-0000-000000000001",
        "name": "Jane Smith",
        "email": "jane@example.com",
        "metadata": {}
      },
      "targets": [
        {
          "type": "segment",
          "id": "s1b2c3d4-0000-0000-0000-000000000001",
          "name": "High-value users",
          "metadata": {}
        }
      ],
      "context": {
        "ip": "203.0.113.42",
        "user_agent": "Mozilla/5.0",
        "country": "US",
        "metadata": {}
      },
      "metadata": {}
    }
  ],
  "has_more": true,
  "next_cursor": "eyJv..."
}

Overview

The List audit logs API returns a record of actions taken within your organization — who did what, when, and from where. Use it to support compliance workflows, security investigations, and activity monitoring.
This endpoint requires an Enterprise plan with the audit logs entitlement enabled. Contact your account manager to enable access. See Audit logs for a feature overview.

How to use this API

Authenticate with your Organization API Key. App-level API keys are not accepted.

Time range

Every initial request requires a start_time. Results are returned in ascending chronological order.
  • The maximum lookback window is 90 days.
  • start_time must be an ISO 8601 timestamp within the last 90 days.
  • end_time is optional and defaults to the current time.
  • Historical data is only available from 2026-02-18T00:00:00Z onward.

Cursor-based pagination

When a response contains more results than the requested limit, the response includes has_more: true and a next_cursor value. Pass next_cursor as the cursor parameter in the next request. When using a cursor, start_time and end_time are not required.
When app_ids is set, org-level events (those not associated with any specific app) are always included in results alongside the filtered app events.

Headers

Authorization
string
default:Key YOUR_ORGANIZATION_API_KEY
required

Your Organization API key with prefix Key. See Keys & IDs.

Path Parameters

organization_id
string
default:YOUR_ORG_ID
required

The UUID of the organization to retrieve audit logs for. Must match the authenticated Organization API Key.

Query Parameters

start_time
string

Start of the time range in ISO 8601 format (e.g. 2026-02-01T00:00:00Z). Required unless cursor is provided. Must be within the last 90 days and no earlier than 2026-02-18T00:00:00Z.

end_time
string

End of the time range in ISO 8601 format. Defaults to the current time. Must be after start_time.

cursor
string

Pagination cursor returned in a previous response as next_cursor. When provided, start_time and end_time are ignored.

limit
integer
default:100

Maximum number of events to return per page. Minimum 1, maximum 100. Values outside this range are clamped automatically.

Required range: 1 <= x <= 100
app_ids
string[]

Filter events by app UUID. Accepts up to 10 values. Org-level events are always included. Repeat the parameter for multiple values: app_ids=uuid1&app_ids=uuid2.

Maximum array length: 10
actions
string[]

Filter by action type (e.g. notification.sent, segment.created). Accepts up to 20 values. Repeat the parameter for multiple values: actions=notification.sent&actions=segment.created.

Maximum array length: 20
actor_ids
string[]

Filter by actor UUID (the user or service that performed the action). Accepts up to 10 values. Repeat the parameter for multiple values: actor_ids=uuid1&actor_ids=uuid2.

Maximum array length: 10
actor_emails
string[]

Filter by actor email address. Accepts up to 10 values. Repeat the parameter for multiple values: actor_emails=a@example.com&actor_emails=b@example.com.

Maximum array length: 10
target_types
string[]

Filter by the type of resource the action was performed on (e.g. notification, segment, journey). Accepts up to 10 values. Repeat the parameter for multiple values: target_types=notification&target_types=segment.

Maximum array length: 10
target_ids
string[]

Filter by the UUID of the resource the action was performed on. Accepts up to 10 values. Repeat the parameter for multiple values: target_ids=uuid1&target_ids=uuid2.

Maximum array length: 10
ip_addresses
string[]

Filter by the IP address the action originated from. Accepts up to 10 values. Repeat the parameter for multiple values: ip_addresses=203.0.113.1&ip_addresses=203.0.113.2.

Maximum array length: 10

Response

200

audit_logs
object[]

Array of audit log events, ordered by occurred_at ascending.

has_more
boolean

true if additional events exist beyond this page. Use next_cursor to fetch the next page.

next_cursor
string

Opaque cursor to pass as cursor in the next request. Only present when has_more is true.