What gets logged
Every event answers five questions: who, what, when, where, and how it ended.
Who — the actor and its type
Each event names the actor and tags its type:
- You — a human acting in the vault UI or an authenticated client.
- Extension — the browser extension filling a form.
- Agent — a named AI agent or integration fetching through the CLI or proxy.
The type is always present, so agent activity never blends into your own. If a connected integration starts reading more than it should, it stands out on its own line.
What — the action
The full lifecycle of a credential, plus the actions around it:
| Group | Actions |
|---|---|
| Use | read, autofill, TOTP code, agent fetch |
| Change | create, update, delete, scope change |
| History | viewing an entry's past revisions |
| Admin | agent created / changed / removed, backup restore, import/export |
Reads and uses are logged the same as edits — there is no silent path to a secret.
When — the timestamp
Every event is stamped with the time it occurred, to the millisecond.
Where — the source
The source IP the request came from, so access from an unexpected location is visible.
How it ended — the outcome
Every event records its outcome, not just the successes:
- success — the action completed.
- failure — it was attempted but errored.
- denied — it was refused by policy, with a reason: scope denied, rate limited, agent locked, IP refused, and so on.
Filtering for denied is often the fastest way to see whether anything is probing at your vault's edges.
What's tied to what
Change and history events link to the exact entry — and, for versioned changes, to the specific revision they produced. An update event points at the revision it created; a delete points at the tombstone. The audit log and your version history line up, event to revision.