Audit & investigation

Audit is the record of everything the gateway decided. It’s designed so you can investigate any request and prove governance — without the audit trail itself becoming a place secrets leak.

What’s in an event

Authentication, policy decision and policy version, credential mode (not value), projection version, upstream transport, session lifecycle, API‑adapter activity, tool calls, admin actions, and revocations — each with a stable, safe shape.

Metadata‑only by design

Audit never stores raw tool arguments or secret material. That guarantee is what makes it safe to search broadly, export, and ship to third‑party tooling. Denied calls are recorded too, with a stable machine reason — so you can see what was attempted and refused, not just what succeeded.

Search, export, SIEM

• Search the trail by environment, actor, resource, decision, or time, and open a single request’s full bundle by request_id. See Search the audit trail.
• Export a result set for offline analysis or retention.
• SIEM webhooks stream events to your own monitoring with the same metadata‑only guarantees.

Every decision is attributable

Because each event carries the policy version that produced the decision, an auditor can reconstruct exactly which immutable policy allowed or denied a call — months later.

See it illustrated See the actor chain and a metadata-only audit event illustrated end to end.