Add audit log query API (#101)

david049 · web-flow · commit 499e1778ecc4 · 2026-01-12T15:01:50.000-05:00
* Add audit log query API

* descope account

* add openapi tag

* fix comment

* bump version

* fix description
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.10.0
+v0.10.1
diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto
@@ -19,6 +19,7 @@ import "temporal/api/cloud/region/v1/message.proto";
 import "temporal/api/cloud/account/v1/message.proto";
 import "temporal/api/cloud/usage/v1/message.proto";
 import "temporal/api/cloud/connectivityrule/v1/message.proto";
+import "temporal/api/cloud/auditlog/v1/message.proto";
 
 message GetUsersRequest {
     // The requested size of the page to retrieve - optional.
@@ -949,6 +950,25 @@ message DeleteConnectivityRuleResponse {
     temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
 }
 
+message GetAuditLogsRequest {
+    // The requested size of the page to retrieve - optional.
+    // Cannot exceed 1000. Defaults to 100.
+    int32 page_size = 1;
+    // The page token if this is continuing from another response - optional.
+    string page_token = 2;
+    // Filter for UTC time >= (defaults to 30 days ago) - optional.
+    google.protobuf.Timestamp start_time_inclusive = 3;
+    // Filter for UTC time < (defaults to current time) - optional.
+    google.protobuf.Timestamp end_time_exclusive = 4;
+}
+
+message GetAuditLogsResponse {
+    // The list of audit logs ordered by emit time, log_id
+    repeated temporal.api.cloud.auditlog.v1.LogRecord logs = 1;
+    // The next page's token.
+    string next_page_token = 2;
+}
+
 message ValidateAccountAuditLogSinkRequest {
   // The audit log sink spec that will be validated
   temporal.api.cloud.account.v1.AuditLogSinkSpec spec = 1;
diff --git a/temporal/api/cloud/cloudservice/v1/service.proto b/temporal/api/cloud/cloudservice/v1/service.proto
@@ -976,6 +976,22 @@ service CloudService {
         };
     }
 
+    // Get audit logs
+    rpc GetAuditLogs(GetAuditLogsRequest) returns (GetAuditLogsResponse) {
+        option (google.api.http) = {
+            get: "/cloud/audit-logs",
+        };
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            tags: ["Account"];
+            summary: "Get audit logs"
+            description: "Returns a paginated list of audit logs for the account, optionally filtered by time range"
+            external_docs: {
+                url: "https://docs.temporal.io/cloud/audit-logging";
+                description: "Audit logging documentation";
+            };
+        };
+    }
+
     // Validate customer audit log sink is accessible from Temporal's workflow by delivering an empty file to the specified sink.
     // The operation verifies that the sink is correctly configured, accessible and ready to receive audit logs.
     rpc ValidateAccountAuditLogSink(ValidateAccountAuditLogSinkRequest) returns (ValidateAccountAuditLogSinkResponse) {
