Audit Log Export API
The Audit Log Export endpoint streams all audit events for your project within a requested date range directly to a file. It is designed for SOC2 evidence collection, compliance audits, and offline analysis.
Base URL: https://api.zeridion.com/flare/v1
Authentication is JWT + project-membership role of admin or owner only — Authorization: Bearer <api_key> is explicitly rejected on this surface, because audit-log rows expose security-event PII (IPs, user-agents, login attempts) that an unprivileged tenant API key must not read. Callers without a valid JWT receive 401 unauthorized; callers whose membership role is below admin receive 403 forbidden. The endpoint is subject to a dedicated rate limit of one export per minute per tenant — separate from the normal hourly quota.
GET /flare/v1/projects/{projectId}/audit-log/export
Stream audit log rows in JSONL or CSV format for a date range up to 90 days.
Request
GET /flare/v1/projects/{projectId}/audit-log/export?from=<iso>&until=<iso>&format=jsonl|csv
Authorization: Bearer <jwt_token>
Path parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
projectId | string | yes | The project whose audit log to export. The caller's JWT must carry an admin or owner membership in this project. |
Query parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
from | string | yes | ISO 8601 start of the export window (inclusive). |
until | string | yes | ISO 8601 end of the export window (inclusive). |
format | string | no | jsonl (default) or csv. |
Response
On success the response body is streamed directly — no JSON envelope. The Content-Disposition header carries the suggested filename.
| Header | Value |
|---|---|
Content-Type | application/x-ndjson (jsonl) or text/csv |
Content-Disposition | attachment; filename="zeridion-audit-\{projectId\}-\{date\}.\{ext\}" |
The response is chunked-transfer — there is no Content-Length header.
JSONL format
One JSON object per line (newline-delimited JSON / ndjson). Rows are ordered by created_at ascending, then id ascending.
{"id":"act_01J...","created_at":"2026-04-01T00:00:00+00:00","kind":"job_created","target_type":"job","target_id":"job_01J...","summary":"Job enqueued: send_email","metadata":{"queue":"default"}}
{"id":"act_01J...","created_at":"2026-04-01T00:05:12+00:00","kind":"job_created","target_type":"job","target_id":"job_01J...","summary":"Job enqueued: generate_report","metadata":null}
Field reference
| Field | Type | Description |
|---|---|---|
id | string | Unique audit event ID (act_ prefix). |
created_at | ISO 8601 | When the event was recorded (UTC). |
kind | string | Event kind in snake_case wire format (e.g. job_created, not JobCreated). See ActivityKind values in the Activity API doc for the complete enumeration of 28 kinds, or the lock file docs/api/activity-kinds.json for the frozen-int source of truth. |
target_type | string | Resource type affected ("job", "alert", "recurring", …). |
target_id | string | null | ID of the affected resource, or null if not applicable. |
summary | string | Human-readable description of the event. |
metadata | object | null | Shape-specific extra fields (queue, channel, …), or null. |
CSV format
RFC-4180 compliant. First row is the header. Fields containing commas, double-quotes, or newlines are enclosed in double-quotes; internal double-quotes are doubled.
Id,CreatedAt,Kind,TargetType,TargetId,Summary,Metadata
act_01J...,2026-04-01T00:00:00+00:00,job_created,job,job_01J...,"Job enqueued: send_email","{""queue"":""default""}"
curl examples
JSONL export (last 30 days)
curl -G "https://api.zeridion.com/flare/v1/projects/$PROJECT_ID/audit-log/export" \
-H "Authorization: Bearer $ZERIDION_JWT" \
--data-urlencode "from=$(date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)" \
--data-urlencode "until=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
--data-urlencode "format=jsonl" \
-o audit-log.jsonl
CSV export (specific date range)
curl -G "https://api.zeridion.com/flare/v1/projects/$PROJECT_ID/audit-log/export" \
-H "Authorization: Bearer $ZERIDION_JWT" \
--data-urlencode "from=2026-01-01T00:00:00Z" \
--data-urlencode "until=2026-03-31T23:59:59Z" \
--data-urlencode "format=csv" \
-o audit-log.csv
Error responses
All errors follow the standard error envelope.
| Code | HTTP | Description |
|---|---|---|
invalid_from | 400 | from is missing or not a valid ISO 8601 date-time. |
invalid_until | 400 | until is missing or not a valid ISO 8601 date-time. |
invalid_range | 400 | from is not before until. |
range_too_large | 400 | The requested window exceeds 90 days. |
invalid_format | 400 | format is not "jsonl" or "csv". |
rate_limit_exceeded | 429 | The tenant has already requested an export in the last 60 seconds. |
Notes
- Rows are paginated internally in 500-row pages and streamed without buffering — the endpoint is safe to call for very large projects.
- The
metadatafield is raw JSON stored on write. In JSONL it is embedded as a nested object (not a string). In CSV it is serialized as a JSON string. - The export does not include deleted projects' rows — rows are filtered strictly to the authenticated tenant.
See also
- Activity API — read the same audit rows as a cursor-paginated dashboard feed
- Monitoring guide — ship audit exports to SIEM and log-storage backends
- Errors —
rate_limit_exceeded,invalid_format, and other failure modes