Audit Log Compliance and Security

Define access, retention, redaction, evidence, monitoring, and review controls around organization audit records.

AuthOS release 0.8.2 API v1 Latest-only documentation
Updated Jul 15, 2026 Edit this page
On this page

Security Considerations

Access Control:

  • Only owners and admins can view audit logs
  • API queries are intended to scope logs by organization; public cross-tenant coverage evidence is still being expanded
  • Deleted users still appear in logs (email preserved)
  • Platform owners cannot access organization audit logs (privacy)

Data Retention:

  • The API does not expose general deletion; verify actual database retention and cleanup behavior
  • Define retention based on applicable operational and legal requirements
  • Export logs regularly for archival
  • Logs survive organization deletion (platform-level cleanup required)

Sensitive Information:

  • Passwords, secrets, and OAuth tokens are intended to be excluded; verify redaction against the release and custom integrations you deploy
  • API keys are logged by ID only (not full key)
  • Personal data (email) is logged for accountability
  • Consider GDPR right to erasure when deleting users

Performance:

  • Audit-log volume can become large over time
  • Use pagination to avoid timeouts
  • Filter by action or target to reduce dataset size
  • Consider exporting to external log management system (e.g., Splunk, Datadog)

Tamper Protection:

  • The public API does not expose audit-log mutation or deletion operations
  • Database administrators and infrastructure controls remain inside the trust boundary, so this is not a tamper-proof or immutable-storage guarantee
  • Actor information captured at event time (not dynamic)
  • Timestamps are server-side (cannot be spoofed)

Best Practices

Regular Review:

  • Review audit logs weekly for unusual activity
  • Set up automated alerts for critical events
  • Export logs monthly for archival
  • Investigate all failed actions

Filtering Strategies:

  • Start broad, then narrow down with filters
  • Use action filter for specific event types
  • Use target_type + target_id for resource history
  • Export to external tools for advanced analytics

Control-program use:

  • Document audit log retention policy
  • Export logs regularly for long-term storage
  • Include audit logs in security audits
  • Train team on audit log interpretation

Security Monitoring:

  • Alert on critical events (service deletion, user removal)
  • Monitor for unusual IP addresses
  • Track failed actions for potential attacks
  • Review API key creation/deletion regularly