audit.log.
Overview
The Audit log tracks:- External AuditEvents: Outbound HTTP calls an agent makes through the proxy to a third-party API (for example,
api.github.com). - Internal AuditEvents: Credential lifecycle operations (login, logout, token refresh, revocation) and auth flow steps.
POST /audit/events endpoint. The proxy itself does not write to local files.
Event Schema
EveryAuditEvent requires two actor fields:
identity: The cryptographic agent Handle making the request.principal_id: The human or team Principal that owns the Vault.
| Field | Description |
|---|---|
timestamp | ISO-8601 UTC timestamp of the event. |
event | The event type (provider.login, provider.login_failed, provider.refresh_failed, provider.revoked, identity.claimed, etc.) |
provider | The external provider involved (e.g., github, openai). |
connection | The named connection used. |
identity | The Identity Handle making the call. |
principal_id | The PrincipalId resolved by the server. |
Dashboard and Admin Access
Authsome includes an Admin Audit Dashboard, served natively by the daemon (at/audit).
- Principals with the
adminrole can view all events across the deployment. - Principals with the
userrole may only view events relevant to their own PrincipalId.
Reading the Log
You can view the audit events directly from the CLI or query the daemon:User-scoped access
GET /api/audit/events is role-aware. Admin principals can review the global audit log.
Non-admin principals receive only events scoped to their own principal, including their
claimed identities, vault, providers, and credential lifecycle activity.
Supported query parameters:
| Parameter | Description |
|---|---|
limit | Number of events to return, clamped to the server maximum. |
cursor | Cursor returned by the previous page. |
next_cursor when another page is available.
Privacy and Secrets
What the log contains:- Timestamps for every significant action.
- Provider and connection names.
- Event types, identity handles, and principal IDs.
- Outcome metadata (like
status: "failure"on failed logins).
- Access tokens, refresh tokens, API keys,
client_secrets, or any other secret values. - Decrypted credential records.
- Request payloads passed through the proxy.