diff --git a/temporal/api/cloud/auditlog/v1/message.proto b/temporal/api/cloud/auditlog/v1/message.proto
new file mode 100644
index 0000000..9925bbd
--- /dev/null
+++ b/temporal/api/cloud/auditlog/v1/message.proto
@@ -0,0 +1,107 @@
+syntax = "proto3";
+
+package temporal.api.cloud.auditlog.v1;
+
+option go_package = "go.temporal.io/api/cloud/auditlog/v1;auditlog";
+option java_package = "io.temporal.api.cloud.auditlog.v1";
+option java_multiple_files = true;
+option java_outer_classname = "MessageProto";
+option ruby_package = "Temporalio::Api::Cloud::AuditLog::V1";
+option csharp_namespace = "Temporalio.Api.Cloud.AuditLog.V1";
+
+import "google/protobuf/timestamp.proto";
+
+// LogRecord represents an audit log entry from Temporal, structured for easy parsing and analysis.
+message LogRecord {
+  // Time when the log was emitted from the source 
+  google.protobuf.Timestamp emit_time = 1;
+
+  // Level of the log, i.e. info, warn, error etc
+  LogLevel level = 2;
+
+  // Operator email address - optional
+  string user_email = 3;
+
+  // Operator IP address or server name
+  string caller_ip_address = 4;
+
+  // Operation performed
+  string operation = 5;
+
+  // Detailed information about the operation.
+  OperationDetail details = 6;
+
+  // Operation status from API call
+  string status = 7;
+
+  // Admin or System
+  LogCategory category = 8;
+
+  // Specifies the version of the log entry to distinguish between different systems on the server side. 
+  int32 version = 9;
+
+  // Unique ID for the log record.
+  string log_id = 10;
+}
+
+// OperationDetails includes potential more detailed operation logs extracted from the different fields in the
+// Temporal API logs or third party logs, e.g. auth0
+message OperationDetail {
+  // The namespace the operation was performed on - optional
+  string namespace = 1;
+
+  // The email addresses of the users on whom the operation was performed - optional
+  repeated string target_users = 2;
+
+  // Names of any roles/accesses assigned to identities that were processed in this request - optional
+  repeated string roles = 3;
+
+  // Fingerprints if client ca is included - optional
+  repeated string client_ca_fingerprints = 4;
+
+  // Details of a search attribute update - optional
+  SearchAttributeUpdate search_attribute_update = 5;
+
+  // Additional relevant message - optional
+  string additional_message = 6;
+
+  // Namespace's region - optional
+  string region = 7;
+
+  // If account features were updated i.e. external metrics, audit logging sink etc. - optional
+  repeated string account_features = 8;
+
+  // Third party log details eg: auth0 - optional
+  ThirdPartyLogDetail third_party_details = 9;
+}
+
+message SearchAttributeUpdate {
+  string existing_attribute = 1;
+
+  string new_attribute = 2;
+}
+
+message ThirdPartyLogDetail {
+  string id = 1;
+
+  // the third party source, e.g. auth0
+  string source = 2;
+
+  // the raw log message from the third party app, e.g. the whole auth0 event log
+  string raw_message = 3;
+}
+
+enum LogCategory {
+  LOG_CATEGORY_UNSPECIFIED = 0;
+  LOG_CATEGORY_ADMIN = 1;
+  LOG_CATEGORY_SYSTEM = 2;
+}
+
+enum LogLevel {
+  LOG_LEVEL_UNSPECIFIED = 0;
+  LOG_LEVEL_INFO = 1;
+  LOG_LEVEL_DEBUG = 2;
+  LOG_LEVEL_WARN = 3;
+  LOG_LEVEL_ERROR = 4;
+  LOG_LEVEL_FATAL = 5;
+}
diff --git a/temporal/api/cloud/cloudservice/v1/request_response.proto b/temporal/api/cloud/cloudservice/v1/request_response.proto
index 176889d..edf705e 100644
--- a/temporal/api/cloud/cloudservice/v1/request_response.proto
+++ b/temporal/api/cloud/cloudservice/v1/request_response.proto
@@ -9,6 +9,9 @@ option java_outer_classname = "RequestResponseProto";
 option ruby_package = "Temporalio::Api::Cloud::CloudService::V1";
 option csharp_namespace = "Temporalio.Api.Cloud.CloudService.V1";
 
+import "google/protobuf/timestamp.proto";
+
+import "temporal/api/cloud/auditlog/v1/message.proto";
 import "temporal/api/cloud/operation/v1/message.proto";
 import "temporal/api/cloud/identity/v1/message.proto";
 import "temporal/api/cloud/namespace/v1/message.proto";
@@ -525,3 +528,22 @@ message DeleteServiceAccountResponse {
     // The async operation.
     temporal.api.cloud.operation.v1.AsyncOperation async_operation = 1;
 }
+
+message GetAuditLogsRequest {
+    // The requested size of the page to retrieve - optional.
+    // Cannot exceed 1000. Defaults to 100.
+    int32 page_size = 1;
+    // The page token if this is continuing from another response - optional.
+    string page_token = 2;
+    // Filter for UTC time >= (defaults to 30 days ago) - optional.
+    google.protobuf.Timestamp start_time_inclusive = 3;
+    // Filter for UTC time < (defaults to current time) - optional.
+    google.protobuf.Timestamp end_time_exclusive = 4;
+}
+
+message GetAuditLogsResponse {
+    // The list of audit logs ordered by inserted time, emit time, log_id
+    repeated temporal.api.cloud.auditlog.v1.LogRecord logs = 1;
+    // The next page's token.
+    string next_page_token = 2;
+}
\ No newline at end of file
diff --git a/temporal/api/cloud/cloudservice/v1/service.proto b/temporal/api/cloud/cloudservice/v1/service.proto
index f37e673..df1ba44 100644
--- a/temporal/api/cloud/cloudservice/v1/service.proto
+++ b/temporal/api/cloud/cloudservice/v1/service.proto
@@ -260,4 +260,11 @@ service CloudService {
             delete: "/cloud/service-accounts/{service_account_id}",
         };
     }
+            
+    // Get audit logs
+    rpc GetAuditLogs(GetAuditLogsRequest) returns (GetAuditLogsResponse) {
+        option (google.api.http) = {
+            get: "/cloud/audit-logs",
+        };
+    }
 }
diff --git a/temporal/api/cloud/identity/v1/message.proto b/temporal/api/cloud/identity/v1/message.proto
index 7db0cae..0ede1d8 100644
--- a/temporal/api/cloud/identity/v1/message.proto
+++ b/temporal/api/cloud/identity/v1/message.proto
@@ -12,9 +12,11 @@ option csharp_namespace = "Temporalio.Api.Cloud.Identity.V1";
 import "google/protobuf/timestamp.proto";
 
 message AccountAccess {
-    // The role on the account, should be one of [admin, developer, read]
+    // The role on the account, should be one of [owner, admin, developer, financeadmin, read]
+    // owner - gives full access to the account, including users, namespaces, and billing
     // admin - gives full access the account, including users and namespaces
     // developer - gives access to create namespaces on the account
+    // financeadmin - gives read only access and write access for billing
     // read - gives read only access to the account
     string role = 1;
 }