Audit Log

The Audit Log records every significant event in your vault -- credential access, agent requests, MCP proxy calls, token refreshes, and policy decisions. Open it from the Audit Log page in your dashboard.

Event Types

Sources

Each event records how the credential was accessed:

• Direct -- You accessed the credential from the Token Vault dashboard.
• Agent -- An AI agent retrieved the credential using its API key or MCP tool.
• MCP Proxy -- A credential was injected into an upstream API call via the MCP proxy.

Filtering

Use the filter bar at the top of the Audit Log to narrow results by:

• Event type -- Secret Access, Agent Access, Token Refresh, or Policy Denied.
• Source -- Direct, Agent, or MCP Proxy.
• Service -- Filter by the specific service name (e.g. github, openai).
• Agent -- Filter by a specific agent identity.

You can also navigate to the audit log pre-filtered from other pages. For example, clicking "View activity" on an agent card links directly to that agent's audit events.

Event Details

Each audit entry shows:

• Title -- What happened (e.g. the agent name, proxy name, or "Direct Access").
• Service badge -- Which credential was involved.
• Timestamp -- Relative time with full date on hover.
• Client info -- Browser, CLI, MCP/Python, or Node.js based on the user agent.
• Client IP -- The IP address of the requester.
• Denial reason -- For policy-denied events, the specific rule that blocked the request (e.g. time_window, rate_limit).

Retention

Audit events are stored for 90 days and are scoped to your user account. Events are append-only and cannot be modified or deleted.