Every major event emits a structured log message into a shared ingestion pipeline: invitations, approvals, device enrollments and revocations, policy changes, seed enrollments, access requests, and code displays.
Client devices log every display of a TOTP code, with device, resource, timestamp, and location, and report it to the logging service.
Policy changes are logged with the actor and the diff, so an auditor can reconstruct exactly what changed and who changed it.
Log entries are immutable and append only at the application layer. No updates, no deletes.
The admin console exposes the full history with pagination and filters by user, resource, or event type, including in flight requests that have not completed.
Compliance and security teams inspect the trail in real time or retroactively; the log supports post incident analysis, forensic audit, and SOC 2 controls.
All internal producers (access service, code distribution, clients) emit structured events into one durable stream.
A defined schema per event type with key metadata: who, what, when, from which device, and where.
The moment a code renders on a screen is itself an audit event, closing the last visibility gap.
Real time and historical access, filterable per user, resource, and event type.
Programmatic retrieval for compliance exports and downstream tooling.
The log answers the auditor’s actual question, who saw a working credential and when, not just who requested one.
Immutability is structural: the application layer supports no update or delete on log entries.
Geolocation on requests, approvals, and displays gives forensics a physical dimension without tracking anything else.
Secrets never appear in the log; it records access to codes, not the codes themselves.
Walk through the trust model, policy design, and rollout with our security and solutions team.