Audit Logs
Security audit trail of all organization activities
Audit Logs
Audit logs provide a comprehensive security trail of all important actions performed within your organization.
What are Audit Logs?
Audit logs track who did what, when, and where in your organization:
Recorded information:
- Actor: Who performed the action (name + email)
- Action: What they did
- Resource: What was affected (API key, member, wallet)
- Timestamp: Exact date and time
- IP Address: Where they were (if available)
- User Agent: Browser/device information
- Metadata: Additional details specific to the action
Purpose:
- Security monitoring
- Compliance requirements
- Debugging issues
- Accountability
- Forensic investigation
Who Can Access Audit Logs?
| Role | Access |
|---|---|
| Member | ❌ No access |
| Admin | ✅ Full access |
| Owner | ✅ Full access |
Admin and Owner access:
- View all organization audit logs
- See actions by all members
- Export logs (coming soon)
- Search and filter
Logged Actions
Member Actions
Invitations:
MEMBER_INVITED- New member invited to organizationINVITATION_ACCEPTED- Member accepted invitationINVITATION_REVOKED- Invitation cancelledINVITATION_EXPIRED- Invitation expired (8 days)
Role Changes:
MEMBER_ROLE_CHANGED- Member role updated (OWNER/ADMIN/MEMBER)MEMBER_PROMOTED- Member promoted to higher roleMEMBER_DEMOTED- Member downgraded to lower role
Removal:
MEMBER_REMOVED- Member removed from organization
API Key Actions
Creation:
API_KEY_CREATED- New API key generated- Records: key label, scope (PERSONAL/TEAM), creator
Management:
API_KEY_BLOCKED- Key temporarily disabledAPI_KEY_UNBLOCKED- Key re-enabledAPI_KEY_REVOKED- Key permanently deletedAPI_KEY_LIMIT_UPDATED- Monthly limit changed
Wallet Actions
Deposits:
FUNDS_DEPOSITED- Cryptocurrency payment received- Records: amount, currency, transaction ID
Status Changes:
WALLET_FROZEN- Wallet frozen (balance = $0 or admin action)WALLET_UNFROZEN- Wallet re-enabledLOW_BALANCE_ALERT- Balance dropped below threshold
Manual Adjustments:
FUNDS_REFUNDED- Admin issued refundBALANCE_ADJUSTED- Admin manually adjusted balance
Organization Actions
Settings:
ORG_SETTINGS_UPDATED- Organization name or settings changedORG_TIER_CHANGED- Tier upgraded/downgradedORG_LOW_BALANCE_THRESHOLD_UPDATED- Alert threshold changed
Lifecycle:
ORG_CREATED- Organization first createdORG_FROZEN- Organization frozen by adminORG_UNFROZEN- Organization unfrozenORG_DELETED- Organization permanently deleted
Authentication Actions
Sign-in:
USER_SIGNED_IN- Member logged inUSER_SIGNED_OUT- Member logged outFAILED_SIGN_IN_ATTEMPT- Login failed (security)
Security Actions
Suspicious Activity:
SUSPICIOUS_ACTIVITY_DETECTED- Unusual pattern detectedRATE_LIMIT_EXCEEDED- Too many requestsUNAUTHORIZED_ACCESS_ATTEMPT- Access denied
Log Entry Details
Basic Information
Every log entry contains:
Timestamp:
2024-01-15 14:32:47 UTC- Exact date and time
- Timezone: UTC
- Millisecond precision
Actor:
John Smith ([email protected])- Full name
- Email address
- User ID (internal reference)
Action:
API_KEY_CREATED- Standardized action code
- Human-readable description
- Category (MEMBER, API_KEY, WALLET, ORG)
Detailed Information
Resource:
Resource Type: API_KEY
Resource ID: key_abc123
Resource Name: "Production API Key"Metadata (varies by action):
For API_KEY_CREATED:
{
"keyLabel": "Production API Key",
"scope": "TEAM",
"scopes": ["gpt-4", "claude-3"],
"monthlyLimit": 100.00,
"createdBy": "[email protected]"
}For MEMBER_ROLE_CHANGED:
{
"memberEmail": "[email protected]",
"oldRole": "MEMBER",
"newRole": "ADMIN",
"changedBy": "[email protected]",
"reason": "Promoted to team lead"
}For FUNDS_DEPOSITED:
{
"amount": 100.00,
"currency": "USD",
"paymentMethod": "USDT_TRC20",
"transactionId": "0x123abc...",
"providerReference": "nowpayments_12345"
}IP Address:
203.0.113.1- Source IP of action
- Useful for security analysis
- Detect unusual locations
User Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 Chrome/120.0.0.0- Browser and device info
- Detect suspicious clients
- Understand access patterns
Using Audit Logs
Viewing Logs
- Navigate to Audit Logs page
- See most recent logs first
- Scroll through chronological list
- Click entry to expand details
Pagination
- 50 logs per page (default)
- Click "Next Page" to load older logs
- Click "Previous Page" to go back
- Page numbers shown at bottom
Reading Log Entries
Expanded view shows:
- Full timestamp with timezone
- Actor name and email
- Action performed
- Resource affected
- Complete metadata
- IP address
- User agent
- Internal IDs for reference
Common Use Cases
Security Investigation
Scenario: Suspicious API key usage detected
Investigation steps:
- Go to Audit Logs
- Search for API_KEY_CREATED entries
- Check who created the suspicious key
- View creation timestamp
- Check IP address (from different location?)
- Review related actions by same actor
- Check if key was revoked
- Identify pattern
Example findings:
2024-01-15 03:00:00 - API_KEY_CREATED
Actor: [email protected]
IP: 103.45.67.89 (Vietnam)
Usual IP: 203.0.113.1 (USA)
Action: Created key with no monthly limitAction: Key likely created by compromised account → Reset password, revoke key, investigate further
Compliance Auditing
Scenario: Quarterly security review
Steps:
- Export audit logs for period (coming soon)
- Filter by action types:
- MEMBER_INVITED, MEMBER_REMOVED
- API_KEY_CREATED, API_KEY_REVOKED
- MEMBER_ROLE_CHANGED
- Verify all actions authorized
- Check for unusual patterns
- Document findings
Compliance requirements met:
- ✅ Track all access changes
- ✅ Monitor privileged actions
- ✅ Immutable audit trail
- ✅ Timestamp all events
- ✅ Identify responsible parties
Troubleshooting
Scenario: Member says they didn't remove API key
Investigation:
- Search logs for API_KEY_REVOKED
- Find the key revocation entry
- Check actor (who did it)
- Check timestamp (when)
- Check IP/user agent
- Verify if really that member
Possible findings:
Actor: [email protected] (Admin)
Time: 2024-01-14 18:00:00
Action: API_KEY_REVOKED
Reason: "Monthly limit exceeded, key disabled"Resolution: Admin revoked key, not the member. Explained the reason.
Cost Attribution
Scenario: Unexpected high spending
Investigation:
- Check Request Logs for high usage
- Identify API key responsible
- Go to Audit Logs
- Find API_KEY_CREATED for that key
- See who created it
- Check MEMBER_INVITED if recent member
- Attribute cost to responsible party
Example:
Key: "Test Key 123"
Created by: [email protected]
Created: 2024-01-10
Usage: $500 in 3 days
Issue: No monthly limit setAction: Set monthly limit, talk to contractor about usage
Security Best Practices
Regular Monitoring
Daily:
- Check for unexpected member additions
- Review API key creations
- Look for role changes
Weekly:
- Full audit log review
- Check for suspicious IPs
- Verify all actions authorized
Monthly:
- Compliance report
- Export logs for records
- Review access patterns
Red Flags to Watch For
Member Actions:
- 🚩 Member invited outside business hours
- 🚩 Multiple role changes in short time
- 🚩 Member removed then re-added
- 🚩 Invitation from unusual IP
API Key Actions:
- 🚩 Keys created with no monthly limit
- 🚩 Many keys created rapidly
- 🚩 Keys created outside business hours
- 🚩 Key revoked immediately after creation
Wallet Actions:
- 🚩 Large deposits from unknown IP
- 🚩 Wallet unfrozen by non-owner
- 🚩 Multiple deposit attempts
Organization Actions:
- 🚩 Settings changed unexpectedly
- 🚩 Low balance threshold set to $0
- 🚩 Organization name changed
Responding to Suspicious Activity
Immediate actions:
- Block the suspicious API keys
- Change compromised member passwords
- Remove unauthorized members
- Freeze wallet if needed (prevent financial loss)
- Document everything
Investigation:
- Review full audit trail
- Check related actions
- Identify entry point
- Assess damage
- Determine root cause
Remediation:
- Fix security gap
- Reset affected credentials
- Implement additional controls
- Update team on findings
- Monitor for recurrence
Data Retention
Storage period:
- Audit logs retained indefinitely
- Never deleted automatically
- Supports compliance requirements
- Available for entire organization lifetime
Immutability:
- Logs cannot be modified
- Logs cannot be deleted (by anyone)
- Permanent record
- Tamper-proof
Access:
- Admins and Owners only
- No member access
- Export coming soon
- API access planned
Limitations
Current limitations:
- ❌ Cannot search by keyword yet
- ❌ Cannot filter by action type
- ❌ Cannot export to CSV/JSON
- ❌ No alerting on specific actions
- ❌ No real-time notifications
Coming soon:
- ✅ Advanced search
- ✅ Filtering options
- ✅ CSV/JSON export
- ✅ Webhook notifications
- ✅ Custom alert rules
- ✅ Integration with SIEM systems
Related Features
Request Logs:
- See actual API usage
- Different from audit logs
- Shows technical activity
- View Request Logs
Analytics:
- Usage patterns
- Cost trends
- Performance metrics
- View Analytics
Wallet Transactions:
- Financial audit trail
- Deposits and deductions
- Balance history
- View Wallet
FAQs
Can audit logs be deleted?
No. Audit logs are permanent and immutable.
Why?
- Security requirement
- Compliance necessity
- Forensic evidence
- Accountability
Can anyone modify audit logs?
No. Not even platform admins can modify logs.
Integrity guaranteed by:
- Append-only database
- Cryptographic hashing (coming soon)
- Immutable storage
- Audit of audits (admin actions logged separately)
How far back do logs go?
Forever. All logs retained since organization creation.
Retention policy:
- No automatic deletion
- Available for life of organization
- Even after member leaves
- Even after key revoked
Can I get alerts for specific actions?
Not yet, but coming soon.
Planned features:
- Email alerts for critical actions
- Webhook notifications
- Slack/Discord integrations
- Custom alert rules
Can I export audit logs?
Coming soon. Export features in development.
Planned formats:
- CSV for spreadsheets
- JSON for programmatic access
- PDF for compliance reports
- API access for automation