Audit Trail
Every API operation executed through Toolcog is logged with full context. These audit logs help you understand what happened, debug issues, and meet compliance requirements.
What Gets Logged
Every API Call
When AI executes an operation via call_api, Toolcog records:
- Operation — Which operation was called (e.g.,
github/repos.create)
- Arguments — Parameters passed to the operation (sanitized)
- Result — Success or failure, HTTP status
- Timing — When the call started and how long it took
- Identity — Which account and session initiated the call
Authentication Events
- OAuth connections established
- API keys added
- Credentials revoked
- Token refreshes
Discovery Events
- Search queries via
find_api
- Type requests via
learn_api
- Operations discovered and used
What’s Not Logged
Toolcog explicitly avoids logging:
- Credential values — API keys, OAuth tokens, passwords never appear in logs
- Sensitive response data — Full API responses are not retained
- Request bodies with PII — Personal data in payloads is not stored
Audit logs contain enough context to understand what happened without exposing secrets.
Log Structure
Each audit entry includes:
| Field | Description |
|---|
timestamp | When the event occurred (UTC) |
accountId | Which account initiated the action |
sessionId | Which session (browser, API key, MCP) |
operation | The operation name or event type |
catalogId | Which catalog was used (if applicable) |
status | Success, failure, or pending |
duration | How long the operation took |
metadata | Additional context (varies by event type) |
Accessing Audit Logs
In the Dashboard
- Navigate to your account or organization
- Go to Settings → Audit
- Browse or search the activity log
Filtering
Filter audit logs by:
- Time range — Last hour, day, week, or custom range
- Operation — Specific API operations
- Status — Success, failure, or all
- Catalog — Activity within a specific catalog
- Member — Activity by a specific team member (orgs only)
Search
Search across logs for:
- Operation names
- API names
- Error messages
- Account identifiers
Organization Audit Logs
Organizations have consolidated audit views:
Member Activity
See what each team member is doing:
- Operations they’ve executed
- Credentials they’ve connected
- Resources they’ve accessed
Aggregated View
View all organization activity:
- Total operations per day/week/month
- Most-used operations
- Error rates and patterns
Access Control
| Role | View Own Activity | View All Activity | Export Logs |
|---|
| Owner | Yes | Yes | Yes |
| Admin | Yes | Yes | Yes |
| Member | Yes | No | No |
| Viewer | Yes | No | No |
Using Logs for Debugging
Troubleshooting Failed Calls
When an API call fails:
- Find the operation in audit logs
- Check the status and error details
- Review the arguments passed
- Compare with successful calls to the same operation
Common Issues Revealed by Logs
- 401 Unauthorized — Credential expired or revoked
- 403 Forbidden — Insufficient scopes
- 404 Not Found — Wrong resource identifier
- 429 Too Many Requests — Rate limiting hit
- 500 Internal Server Error — Upstream API issue
Timing Analysis
Use duration data to identify:
- Slow API endpoints
- Operations that consistently timeout
- Performance trends over time
Retention
Default Retention
- Activity logs — 90 days
- Error logs — 180 days
- Authentication events — 1 year
Extended Retention
Enterprise plans can configure:
- Custom retention periods
- Long-term archival
- Compliance-specific retention
Export and Integration
Manual Export
Export logs as CSV or JSON:
- Go to Settings → Audit
- Set your filters
- Click Export
- Choose format (CSV or JSON)
API Access
Query audit logs programmatically for integration with:
- SIEM systems
- Custom dashboards
- Compliance tools
- Alerting systems
Compliance Considerations
SOC 2
Audit logs support SOC 2 requirements for:
- Access logging
- Change management
- Incident investigation
- Anomaly detection
GDPR
For GDPR compliance:
- Logs don’t contain personal data from API payloads
- Account deletion removes associated logs
- Export includes all logged activity for data portability
HIPAA
Healthcare organizations should:
- Enable extended retention
- Configure log export to compliant storage
- Review access patterns regularly
Best Practices
Regular Review
- Check audit logs weekly for anomalies
- Investigate unexpected operation patterns
- Verify only expected members are active
Set Up Alerts
Configure alerts for:
- Unusual error rates
- Off-hours activity
- New credential connections
- High-volume operations
Document Access
For compliance:
- Record who has audit log access
- Document review procedures
- Maintain evidence of regular reviews
Privacy and Security
Log Access is Logged
Access to audit logs is itself audited. You can see who viewed logs and when.
No Credential Exposure
Even when debugging, audit logs never reveal:
- OAuth tokens
- API keys
- Passwords
- Bearer tokens
You see that authentication was used, not what the credentials were.
Isolated by Account
Each account’s logs are isolated. Organization admins see org activity; they cannot see other organizations’ logs.
Next Steps
