Exports must paginate through the complete result set needed by the use case. Protect both the AuthOS bearer token and downstream collector credentials.
Common Use Cases
Compliance Evidence Export
Scenario: Export selected records for review within a SOC 2 control program. This export is not a SOC 2 report or certification and its coverage must be validated by the operator.
# 1. Export all security events
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=100" \
-H "Authorization: Bearer ..." | \
jq '.logs[] | select(.category == "Security")' > security_events.json
# 2. Export all user management events
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?target_type=user" \
-H "Authorization: Bearer ..." > user_management.json
# 3. Generate CSV report
curl -X GET "https://sso.example.com/api/organizations/acme-corp/audit-log?page=1&limit=1000" \
-H "Authorization: Bearer ..." | \
jq -r '.logs[] | [.created_at, .actor.email, .action, .target_type, .target_id, .success] | @csv' \
> audit_report.csv
Integration Examples
Export to Splunk
#!/bin/bash
# Export audit logs to Splunk
ORG_SLUG="acme-corp"
AUTH_TOKEN="your-jwt-token"
SPLUNK_URL="https://splunk.example.com:8088/services/collector"
SPLUNK_TOKEN="your-splunk-hec-token"
# Fetch logs
logs=$(curl -s -X GET "https://sso.example.com/api/organizations/$ORG_SLUG/audit-log?limit=100" \
-H "Authorization: Bearer $AUTH_TOKEN")
# Send to Splunk
echo "$logs" | jq -c '.logs[]' | while read log; do
curl -X POST "$SPLUNK_URL" \
-H "Authorization: Splunk $SPLUNK_TOKEN" \
-d "{\"event\": $log, \"sourcetype\": \"sso_audit_log\"}"
done
Slack Notifications
// Node.js: Send critical audit events to Slack
const axios = require('axios');
const CRITICAL_EVENTS = [
'service.deleted',
'user.removed',
'api_key.created',
'api_key.deleted',
'security.mfa.disabled'
];
async function pollAuditLogs() {
const response = await axios.get(
'https://sso.example.com/api/organizations/acme-corp/audit-log?limit=10',
{ headers: { Authorization: `Bearer ${process.env.SSO_JWT}` } }
);
for (const log of response.data.logs) {
if (CRITICAL_EVENTS.includes(log.action)) {
await sendSlackAlert(log);
}
}
}
async function sendSlackAlert(log) {
await axios.post(process.env.SLACK_WEBHOOK_URL, {
text: `=� Critical Action: ${log.action}`,
attachments: [{
color: 'danger',
fields: [
{ title: 'Actor', value: log.actor.email, short: true },
{ title: 'Target', value: log.target_type, short: true },
{ title: 'Time', value: log.created_at, short: true },
{ title: 'IP', value: log.ip_address || 'N/A', short: true }
]
}]
});
}
// Poll every 5 minutes
setInterval(pollAuditLogs, 5 * 60 * 1000);
Python Report Generator
import requests
import csv
from datetime import datetime
SSO_API = 'https://sso.example.com'
ORG_SLUG = 'acme-corp'
AUTH_TOKEN = 'your-jwt-token'
def export_audit_logs_to_csv(output_file='audit_logs.csv'):
"""Export paginated audit records to CSV for operator review."""
headers = {'Authorization': f'Bearer {AUTH_TOKEN}'}
page = 1
all_logs = []
# Paginate through all logs
while True:
response = requests.get(
f'{SSO_API}/api/organizations/{ORG_SLUG}/audit-log',
params={'page': page, 'limit': 100},
headers=headers
)
data = response.json()
all_logs.extend(data['logs'])
if not data['pagination']['has_next']:
break
page += 1
# Write to CSV
with open(output_file, 'w', newline='') as csvfile:
fieldnames = ['timestamp', 'actor_email', 'action', 'target_type',
'target_id', 'success', 'ip_address']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for log in all_logs:
writer.writerow({
'timestamp': log['created_at'],
'actor_email': log['actor']['email'],
'action': log['action'],
'target_type': log['target_type'],
'target_id': log['target_id'],
'success': log['success'],
'ip_address': log.get('ip_address', 'N/A')
})
print(f'Exported {len(all_logs)} audit logs to {output_file}')
if __name__ == '__main__':
export_audit_logs_to_csv()