What is logged
The audit log covers actions across your workspace:| Category | Example events |
|---|---|
| Secrets | created, updated, deleted, value viewed, value changed |
| Projects and environments | created, updated, deleted |
| Members | invited, updated, removed |
| Teams | created, updated, deleted |
| API tokens | created, rotated, revoked |
| Syncs | created, updated, deleted |
| Workspace | created, updated, deleted |
secret.created or secret_value.viewed, a derived action (create, update, delete or view) and a severity (info, notice, warning or critical). Sensitive reads are logged like any other action: viewing a secret value is recorded as a secret_value.viewed event.
What each entry contains
- Actor: who performed the action (a user, an API token, the CLI or an internal system process), including their name, email and how they authenticated
- Event: the event type, action, category and severity
- Target: the affected resource and where it lives (project and environment)
- Change: the before and after state of the action, with a fingerprint and version (never the value) recorded for secret changes
- Request context: IP address, approximate location (country, region and city), user agent and a request ID
- Timestamp: when the action occurred
- Integrity: a per-workspace sequence number and the hash that links the entry to the rest of the chain
Secret values are never stored
When a secret value is created or changed, the log records a keyed hash (a fingerprint) of the value and a version number, never the value itself. You can see that a value changed and when, while the audit log never holds a secret.Tamper evidence
Each entry carries a SHA-256 hash computed from its own contents and the hash of the previous entry, forming a hash chain backed by a per-workspace sequence number. This means:- Modifying an entry changes its hash and breaks the chain at that point
- Deleting an entry leaves a gap in the sequence
- Inserting a fake entry breaks the hash link between the surrounding entries
Viewing audit logs
Workspace admins can browse the audit log in the dashboard under Audit logs. Selecting an entry opens a detail view with the full actor, target, request context and before/after data.Filtering
Narrow the log by:- Actor
- Event type, category, action or severity
- Project, environment or a specific secret
- IP address
- Date range
- Full-text search across actor, resource, project and environment names