Veil Keys Docs
Open app

The audit trail

If an agent can act with your secrets, you need to know exactly what it did. Veil Keys writes every sensitive action to an append-only audit log that answers one question precisely: “what did this agent, token, or person touch — and when?”

What gets recorded

The audit log captures the security-relevant events across the system:

EventExample
Credential useAn agent made an authenticated API call through the broker
RevealA user viewed a credential’s plaintext
SSH signThe broker signed a challenge with an SSH key
CI resolveA build resolved a secret into its environment
Grant changesA permission was granted or revoked on a workspace
LoginsAn authentication event, including 2FA
Policy decisionsA request was allowed or refused — e.g. an SSRF block or a domain-binding refusal
Token creationAn agent, CI, or SSH token was issued

Each entry records who, what, and when, plus the action’s metadata — the host that was called, the tool that was used, the decision that was made.

Append-only by design

The log is append-only: entries are written, never edited or deleted in place. That property is what makes the trail trustworthy after an incident — a compromised actor can’t quietly rewrite history to cover their tracks. What happened, happened, and it stays in the record.

audit
veil audit --token agent-ci-bot --since 24h
09:14 use api.stripe.com POST /v1/charges ok
09:14 policy host=10.0.0.5 ssrf: private range refused
11:02 reveal — denied: token has 'use' refused
value never recorded — metadata only

Who can see it

The audit trail is visible to organization admins (owners and admins). It is the record of what happened across the org’s workspaces, scoped to the org — consistent with the access-control model.

What to use it for

  • Investigate an agent. “What did this agent token touch in the last day?” — every use, with the host and method, in one place.
  • Confirm a refusal. Domain-binding and SSRF refusals are logged as policy decisions, so you can verify a guardrail fired rather than assuming it did.
  • Review reveals. Because reveal is the one path to plaintext, every reveal is in the log — a spike is a signal worth investigating.
  • Track access changes. Grant and revoke events show who changed whose access, and when.