REST API endpoints for enterprise audit logs
Use the REST API to retrieve audit logs for an enterprise.
Note
These endpoints only support authentication using a personal access token (classic). For more information, see Managing your personal access tokens.
Get the audit log for an enterprise
Gets the audit log for an enterprise.
This endpoint has a rate limit of 1,750 queries per hour per user and IP address. If your integration receives a rate limit error (typically a 403 or 429 response), it should wait before making another request to the GitHub API. For more information, see "Rate limits for the REST API" and "Best practices for integrators."
The authenticated user must be an enterprise admin to use this endpoint.
OAuth app tokens and personal access tokens (classic) need the read:audit_log scope to use this endpoint.
Fine-grained access tokens for "Get the audit log for an enterprise"
This endpoint works with the following fine-grained token types:
The fine-grained token must have the following permission set:
- "Enterprise administration" enterprise permissions (read)
Parameters for "Get the audit log for an enterprise"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
enterprise string RequiredThe slug version of the enterprise name. |
| Name, Type, Description |
|---|
phrase string A search phrase. For more information, see Searching the audit log. |
include string The event types to include:
The default is Can be one of: |
after string A cursor, as given in the Link header. If specified, the query only searches for events after this cursor. |
before string A cursor, as given in the Link header. If specified, the query only searches for events before this cursor. |
order string The order of audit log events. To list newest events first, specify The default is Can be one of: |
page integer The page number of the results to fetch. For more information, see "Using pagination in the REST API." Default: |
per_page integer The number of results per page (max 100). For more information, see "Using pagination in the REST API." Default: |
HTTP response status codes for "Get the audit log for an enterprise"
| Status code | Description |
|---|---|
200 | OK |
Code samples for "Get the audit log for an enterprise"
If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/audit-logResponse
Status: 200[
{
"@timestamp": 1606929874512,
"action": "team.add_member",
"actor": "octocat",
"created_at": 1606929874512,
"_document_id": "xJJFlFOhQ6b-5vaAFy9Rjw",
"org": "octo-corp",
"team": "octo-corp/example-team",
"user": "monalisa"
},
{
"@timestamp": 1606507117008,
"action": "org.create",
"actor": "octocat",
"created_at": 1606507117008,
"_document_id": "Vqvg6kZ4MYqwWRKFDzlMoQ",
"org": "octocat-test-org"
},
{
"@timestamp": 1605719148837,
"action": "repo.destroy",
"actor": "monalisa",
"created_at": 1605719148837,
"_document_id": "LwW2vpJZCDS-WUmo9Z-ifw",
"org": "mona-org",
"repo": "mona-org/mona-test-repo",
"visibility": "private"
}
]Get the audit log stream key for encrypting secrets
Retrieves the audit log streaming public key for encrypting secrets.
When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."
Fine-grained access tokens for "Get the audit log stream key for encrypting secrets"
This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.
Parameters for "Get the audit log stream key for encrypting secrets"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
enterprise string RequiredThe slug version of the enterprise name. |
HTTP response status codes for "Get the audit log stream key for encrypting secrets"
| Status code | Description |
|---|---|
200 | The stream key for the audit log streaming configuration was retrieved successfully. |
Code samples for "Get the audit log stream key for encrypting secrets"
If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/audit-log/stream-keyThe stream key for the audit log streaming configuration was retrieved successfully.
Status: 200{
"key_id": "123",
"key": "actual-public-key-value"
}List audit log stream configurations for an enterprise
Lists the configured audit log streaming configurations for an enterprise. This only lists configured streams for supported providers.
When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."
Fine-grained access tokens for "List audit log stream configurations for an enterprise"
This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.
Parameters for "List audit log stream configurations for an enterprise"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
enterprise string RequiredThe slug version of the enterprise name. |
HTTP response status codes for "List audit log stream configurations for an enterprise"
| Status code | Description |
|---|---|
200 | OK |
Code samples for "List audit log stream configurations for an enterprise"
If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/audit-log/streamsOK
Status: 200[
{
"id": 1,
"stream_type": "Splunk",
"stream_details": "US",
"enabled": true,
"created_at": "2024-06-06T08:00:00Z",
"updated_at": "2024-06-06T08:00:00Z",
"paused_at": null
}
]Create an audit log streaming configuration for an enterprise
Creates an audit log streaming configuration for any of the supported streaming endpoints: Azure Blob Storage, Azure Event Hubs, Amazon S3, Splunk, Google Cloud Storage, Datadog.
When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."
Fine-grained access tokens for "Create an audit log streaming configuration for an enterprise"
This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.
Parameters for "Create an audit log streaming configuration for an enterprise"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
enterprise string RequiredThe slug version of the enterprise name. |
| Name, Type, Description |
|---|
enabled boolean RequiredThis setting pauses or resumes a stream. |
stream_type string RequiredThe audit log streaming provider. The name is case sensitive. Can be one of: |
vendor_specific object Required |
HTTP response status codes for "Create an audit log streaming configuration for an enterprise"
| Status code | Description |
|---|---|
200 | The audit log stream configuration was created successfully. |
Code samples for "Create an audit log streaming configuration for an enterprise"
If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.
Request example
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/audit-log/streams \
-d '{"enabled":false,"stream_type":"Azure Event Hubs","vendor_specific":{"namespace":"newnamespace","shared_access_key_name":"newaccesskeyname","shared_access_key":"newaccesskey","event_hub_name":"neweventhub"}}'The audit log stream configuration was created successfully.
Status: 200{
"id": 1,
"stream_type": "Splunk",
"stream_details": "US",
"enabled": true,
"created_at": "2024-06-06T08:00:00Z",
"updated_at": "2024-06-06T08:00:00Z",
"paused_at": null
}List one audit log streaming configuration via a stream ID
Lists one audit log stream configuration via a stream ID.
When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."
Fine-grained access tokens for "List one audit log streaming configuration via a stream ID"
This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.
Parameters for "List one audit log streaming configuration via a stream ID"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
enterprise string RequiredThe slug version of the enterprise name. |
stream_id integer RequiredThe ID of the audit log stream configuration. |
HTTP response status codes for "List one audit log streaming configuration via a stream ID"
| Status code | Description |
|---|---|
200 | Lists one audit log stream configuration via stream ID. |
Code samples for "List one audit log streaming configuration via a stream ID"
If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.
Request example
curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/audit-log/streams/STREAM_IDLists one audit log stream configuration via stream ID.
Status: 200{
"id": 1,
"stream_type": "Splunk",
"stream_details": "US",
"enabled": true,
"created_at": "2024-06-06T08:00:00Z",
"updated_at": "2024-06-06T08:00:00Z",
"paused_at": null
}Update an existing audit log stream configuration
Updates an existing audit log stream configuration for an enterprise.
When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."
Fine-grained access tokens for "Update an existing audit log stream configuration"
This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.
Parameters for "Update an existing audit log stream configuration"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
enterprise string RequiredThe slug version of the enterprise name. |
stream_id integer RequiredThe ID of the audit log stream configuration. |
| Name, Type, Description |
|---|
enabled boolean RequiredThis setting pauses or resumes a stream. |
stream_type string RequiredThe audit log streaming provider. The name is case sensitive. Can be one of: |
vendor_specific object Required |
HTTP response status codes for "Update an existing audit log stream configuration"
| Status code | Description |
|---|---|
200 | Successful update |
422 | Validation error |
Code samples for "Update an existing audit log stream configuration"
If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.
Request example
curl -L \
-X PUT \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/audit-log/streams/STREAM_ID \
-d '{"enabled":false,"stream_type":"Azure Event Hubs","vendor_specific":{"namespace":"newnamespace","shared_access_key_name":"newaccesskeyname","shared_access_key":"newaccesskey","event_hub_name":"neweventhub"}}'Successful update
Status: 200{
"id": 1,
"stream_type": "Splunk",
"stream_details": "US",
"enabled": true,
"created_at": "2024-06-06T08:00:00Z",
"updated_at": "2024-06-06T08:00:00Z",
"paused_at": null
}Delete an audit log streaming configuration for an enterprise
Deletes an existing audit log stream configuration for an enterprise.
When using this endpoint, you must encrypt the credentials following the same encryption steps as outlined in the guide on encrypting secrets. See "Encrypting secrets for the REST API."
Fine-grained access tokens for "Delete an audit log streaming configuration for an enterprise"
This endpoint does not work with GitHub App user access tokens, GitHub App installation access tokens, or fine-grained personal access tokens.
Parameters for "Delete an audit log streaming configuration for an enterprise"
| Name, Type, Description |
|---|
accept string Setting to |
| Name, Type, Description |
|---|
enterprise string RequiredThe slug version of the enterprise name. |
stream_id integer RequiredThe ID of the audit log stream configuration. |
HTTP response status codes for "Delete an audit log streaming configuration for an enterprise"
| Status code | Description |
|---|---|
204 | The audit log stream configuration was deleted successfully. |
Code samples for "Delete an audit log streaming configuration for an enterprise"
If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.
Request example
curl -L \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2026-03-10" \
https://api.github.com/enterprises/ENTERPRISE/audit-log/streams/STREAM_IDThe audit log stream configuration was deleted successfully.
Status: 204