> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit logging

> Track every action with tamper-evident audit logs.

Enkryptify records every significant action in an append-only audit log. Each entry is linked to the previous one with a cryptographic hash, so any tampering is detectable.

## What is logged

The audit log covers actions across your workspace:

| Category                      | Example events                                         |
| ----------------------------- | ------------------------------------------------------ |
| **Secrets**                   | created, updated, deleted, value viewed, value changed |
| **Projects and environments** | created, updated, deleted                              |
| **Members**                   | invited, updated, removed                              |
| **Teams**                     | created, updated, deleted                              |
| **API tokens**                | created, rotated, revoked                              |
| **Syncs**                     | created, updated, deleted                              |
| **Workspace**                 | created, updated, deleted                              |

Each entry has a specific event type such as `secret.created` or `secret_value.viewed`, a derived action (create, update, delete or view) and a severity (info, notice, warning or critical). Sensitive reads are logged like any other action: viewing a secret value is recorded as a `secret_value.viewed` event.

## What each entry contains

* **Actor**: who performed the action (a user, an API token, the CLI or an internal system process), including their name, email and how they authenticated
* **Event**: the event type, action, category and severity
* **Target**: the affected resource and where it lives (project and environment)
* **Change**: the before and after state of the action, with a fingerprint and version (never the value) recorded for secret changes
* **Request context**: IP address, approximate location (country, region and city), user agent and a request ID
* **Timestamp**: when the action occurred
* **Integrity**: a per-workspace sequence number and the hash that links the entry to the rest of the chain

## Secret values are never stored

When a secret value is created or changed, the log records a keyed hash (a fingerprint) of the value and a version number, never the value itself. You can see that a value changed and when, while the audit log never holds a secret.

## Tamper evidence

Each entry carries a SHA-256 hash computed from its own contents and the hash of the previous entry, forming a hash chain backed by a per-workspace sequence number. This means:

* **Modifying** an entry changes its hash and breaks the chain at that point
* **Deleting** an entry leaves a gap in the sequence
* **Inserting** a fake entry breaks the hash link between the surrounding entries

Enkryptify seals each new entry shortly after it is written and can re-verify the whole chain on demand. Verification recomputes every hash and checks the sequence for gaps, reporting the first break it finds.

## Viewing audit logs

Workspace admins can browse the audit log in the dashboard under **Audit logs**. Selecting an entry opens a detail view with the full actor, target, request context and before/after data.

### Filtering

Narrow the log by:

* Actor
* Event type, category, action or severity
* Project, environment or a specific secret
* IP address
* Date range
* Full-text search across actor, resource, project and environment names

### Exporting

Export the current view as CSV or JSON for external retention or analysis.
