diff --git a/docs.json b/docs.json
index 9b0eef6..4e93dd5 100644
--- a/docs.json
+++ b/docs.json
@@ -116,6 +116,7 @@
]
},
"info/api-keys",
+ "info/audit-logs",
"browsers/file-io",
"browsers/curl",
"browsers/ssh",
@@ -289,6 +290,7 @@
"reference/cli/managed-auth",
"reference/cli/projects",
"reference/cli/api-keys",
+ "reference/cli/audit-logs",
"reference/cli/mcp"
]
}
diff --git a/info/audit-logs.mdx b/info/audit-logs.mdx
new file mode 100644
index 0000000..feb4014
--- /dev/null
+++ b/info/audit-logs.mdx
@@ -0,0 +1,223 @@
+---
+title: "Audit Logs"
+description: "Search and export audit logs for API requests across your organization"
+---
+
+Audit logs record authenticated API requests across your entire organization. Use them to review who called Kernel, which endpoint they called, when the request happened, and how the request completed.
+
+Choose the workflow that matches the amount of data you need:
+
+| Workflow | Best for | Output |
+|----------|----------|--------|
+| Search | Interactive investigation and recent activity | Paginated JSON events |
+| Export | Archival, compliance, and offline analysis | JSON Lines (`.jsonl`) or gzip-compressed JSON Lines (`.jsonl.gz`) |
+
+Audit logs are ordered newest first. Time windows use an inclusive `start` and exclusive `end`: `[start, end)`. A search or export can cover up to 30 days. Split longer periods into multiple time windows.
+
+Both workflows are also available from the [CLI](/reference/cli/audit-logs). For the underlying HTTP API, see [search](https://kernel.sh/docs/api-reference/audit-logs/list-audit-logs) and [export](https://kernel.sh/docs/api-reference/audit-logs/download-an-audit-log-export-chunk) in the API reference.
+
+## Filter audit logs
+
+The API and SDKs use the same filters for search and export:
+
+- `auth_strategy` filters by authentication method, such as `api_key`, `dashboard`, or `oauth`.
+- `service` filters by the service that emitted the audit event.
+- `method` returns only requests that use the specified HTTP method.
+- `exclude_method` omits requests that use any of the specified HTTP methods.
+- `search` matches path, user ID, email, client IP, and status.
+- `search_user_id` matches requests from the specified user IDs in addition to any free-text matches.
+
+
+The API and SDKs include all methods unless you filter. Only the CLI excludes `GET` by default to reduce noise. Pass `--include-get` to remove that default exclusion, or pass `--method GET` to return only GET requests.
+
+
+## Search audit logs
+
+Each API page contains up to 100 events. The SDK pagination helpers request older pages as you iterate.
+
+
+```typescript TypeScript
+import Kernel from '@onkernel/sdk';
+
+const kernel = new Kernel({
+ apiKey: process.env.KERNEL_API_KEY,
+});
+
+for await (const event of kernel.auditLogs.list({
+ start: '2026-06-01T00:00:00Z',
+ end: '2026-06-02T00:00:00Z',
+ method: 'POST',
+})) {
+ console.log(event.timestamp, event.method, event.path, event.status);
+}
+```
+
+```python Python
+import os
+from kernel import Kernel
+
+client = Kernel(api_key=os.environ["KERNEL_API_KEY"])
+
+for event in client.audit_logs.list(
+ start="2026-06-01T00:00:00Z",
+ end="2026-06-02T00:00:00Z",
+ method="POST",
+):
+ print(event.timestamp, event.method, event.path, event.status)
+```
+
+```go Go
+package main
+
+import (
+ "context"
+ "fmt"
+ "time"
+
+ "github.com/kernel/kernel-go-sdk"
+)
+
+func main() {
+ ctx := context.Background()
+ client := kernel.NewClient()
+
+ pager := client.AuditLogs.ListAutoPaging(ctx, kernel.AuditLogListParams{
+ Start: time.Date(2026, time.June, 1, 0, 0, 0, 0, time.UTC),
+ End: time.Date(2026, time.June, 2, 0, 0, 0, 0, time.UTC),
+ Method: kernel.String("POST"),
+ })
+ for pager.Next() {
+ event := pager.Current()
+ fmt.Println(event.Timestamp, event.Method, event.Path, event.Status)
+ }
+ if err := pager.Err(); err != nil {
+ panic(err)
+ }
+}
+```
+
+
+See the [API reference](https://kernel.sh/docs/api-reference/audit-logs/list-audit-logs) for the full request and response schema.
+
+## Export audit logs
+
+The export API returns one chunk per request. Export paging uses a cursor rather than the page token used by search; both are opaque values you pass back unchanged.
+
+Repeat requests until `X-Has-More` is `false`, passing `X-Next-Cursor` back as `cursor`. With the `jsonl.gz` format, each chunk is an independent gzip member, and appending the members produces a valid gzip file. With `jsonl`, each chunk contains raw JSON Lines that you can also append.
+
+The following minimal examples write all chunks to one file. For a hardened export with checksum verification and retries, use the [CLI](/reference/cli/audit-logs#kernel-audit-logs-download).
+
+
+```typescript TypeScript
+import { open } from 'node:fs/promises';
+import Kernel from '@onkernel/sdk';
+
+const kernel = new Kernel({
+ apiKey: process.env.KERNEL_API_KEY,
+});
+
+const file = await open('audit-logs.jsonl.gz', 'w');
+try {
+ let cursor: string | undefined;
+ while (true) {
+ const response = await kernel.auditLogs.exportChunk({
+ start: '2026-06-01T00:00:00Z',
+ end: '2026-06-02T00:00:00Z',
+ format: 'jsonl.gz',
+ exclude_method: ['GET'],
+ cursor,
+ });
+
+ await file.writeFile(Buffer.from(await response.arrayBuffer()));
+
+ if (response.headers.get('x-has-more') !== 'true') {
+ break;
+ }
+ cursor = response.headers.get('x-next-cursor') ?? undefined;
+ }
+} finally {
+ await file.close();
+}
+```
+
+```python Python
+import os
+from kernel import Kernel
+
+client = Kernel(api_key=os.environ["KERNEL_API_KEY"])
+
+params = {
+ "start": "2026-06-01T00:00:00Z",
+ "end": "2026-06-02T00:00:00Z",
+ "format": "jsonl.gz",
+ "exclude_method": ["GET"],
+}
+
+with open("audit-logs.jsonl.gz", "wb") as file:
+ while True:
+ response = client.audit_logs.export_chunk(**params)
+ file.write(response.read())
+ if response.headers.get("x-has-more") != "true":
+ break
+ params["cursor"] = response.headers.get("x-next-cursor")
+```
+
+```go Go
+package main
+
+import (
+ "context"
+ "io"
+ "os"
+ "time"
+
+ "github.com/kernel/kernel-go-sdk"
+)
+
+func main() {
+ ctx := context.Background()
+ client := kernel.NewClient()
+
+ file, err := os.Create("audit-logs.jsonl.gz")
+ if err != nil {
+ panic(err)
+ }
+ defer file.Close()
+
+ params := kernel.AuditLogExportChunkParams{
+ Start: time.Date(2026, time.June, 1, 0, 0, 0, 0, time.UTC),
+ End: time.Date(2026, time.June, 2, 0, 0, 0, 0, time.UTC),
+ Format: kernel.AuditLogExportChunkParamsFormatJSONLGz,
+ ExcludeMethod: []string{"GET"},
+ }
+
+ for {
+ response, err := client.AuditLogs.ExportChunk(ctx, params)
+ if err != nil {
+ panic(err)
+ }
+ _, copyErr := io.Copy(file, response.Body)
+ closeErr := response.Body.Close()
+ if copyErr != nil {
+ panic(copyErr)
+ }
+ if closeErr != nil {
+ panic(closeErr)
+ }
+
+ if response.Header.Get("X-Has-More") != "true" {
+ break
+ }
+ params.Cursor = kernel.String(response.Header.Get("X-Next-Cursor"))
+ }
+}
+```
+
+
+
+ Don't use these minimal loops for a production export without adding integrity checks and durable cursor storage. For each chunk, buffer the exact response bytes, compare their SHA-256 hash with `X-Content-Sha256`, write the verified bytes, and then validate the cursor. When `X-Has-More` is `true`, require a non-empty `X-Next-Cursor` that differs from the current cursor. Persist that cursor only after the verified chunk is safely written. You must also retry transient failures. The [CLI download command](/reference/cli/audit-logs#kernel-audit-logs-download) implements this hardened path.
+
+
+Export chunks contain one JSON object per line. They use the same fields as search results and add `event_id`, which provides a stable tie-breaker when multiple events share a timestamp.
+
+See the [API reference](https://kernel.sh/docs/api-reference/audit-logs/download-an-audit-log-export-chunk) for the full request and response schema.
diff --git a/reference/cli.mdx b/reference/cli.mdx
index 7a47a9d..b0cc1a3 100644
--- a/reference/cli.mdx
+++ b/reference/cli.mdx
@@ -61,6 +61,9 @@ kernel --version
Create, list, rename, and delete API keys.
+
+ Search and download organization audit logs.
+
## Quick Start
diff --git a/reference/cli/audit-logs.mdx b/reference/cli/audit-logs.mdx
new file mode 100644
index 0000000..5e25c1e
--- /dev/null
+++ b/reference/cli/audit-logs.mdx
@@ -0,0 +1,93 @@
+---
+title: "Audit Logs"
+---
+
+Search and download [organization audit logs](/info/audit-logs) from the CLI.
+
+## `kernel audit-logs search`
+
+Search audit logs within a time window. Results are ordered newest first.
+
+```bash
+kernel audit-logs search \
+ --start 2026-06-01 \
+ --end 2026-06-08 \
+ --search /browsers \
+ --limit 500 \
+ --output json
+```
+
+If you omit the time flags, the command searches from 24 hours ago through now. The start is inclusive and the end is exclusive. Each time window can cover up to 30 days.
+
+| Flag | Description |
+|------|-------------|
+| `--start