Audit Log
How SikkerKey records every operation in an append-only audit trail.
Every operation in SikkerKey writes to an append-only audit log. Secret reads, authentication failures, permission changes, machine registrations, team invites, session management. Every entry records who did what, from where, and when.
What Gets Recorded
Each audit entry contains:
| Field | Description |
|---|---|
| Action | The operation type (e.g. secret_read, auth_failure) |
| User ID | The vault owner's ID (if applicable) |
| Machine ID | The machine that performed the action (if applicable) |
| Secret ID | The secret involved (if applicable) |
| Source IP | The IP address the request came from |
| Detail | Human-readable description of what happened |
| Timestamp | Millisecond-precision Unix timestamp |
Action Reference
Secret Actions
| Action | When it fires |
|---|---|
secret_read | A machine successfully read a secret |
secret_read_denied | A machine tried to read a secret it doesn't have access to |
secret_create | A secret was created from the dashboard |
secret_update | A secret's value was replaced or rolled back |
secret_delete | A secret was deleted |
secret_rotate | A machine rotated a secret via the SDK |
secret_rotate_denied | A machine tried to rotate a secret it doesn't have access to |
secret_note_update | A secret's note was edited |
Machine Actions
| Action | When it fires |
|---|---|
machine_register | A new machine was registered via bootstrap |
machine_approve | A pending machine was approved |
machine_deny | A pending machine was denied and removed |
machine_revoke | An approved machine was revoked and removed |
machine_rename | A machine was renamed |
Project Actions
| Action | When it fires |
|---|---|
project_create | A new project was created |
project_update | A project was renamed or its description changed |
project_delete | A project and all its contents were deleted |
project_machine_add | A machine was added to a project |
project_machine_remove | A machine was removed from a project |
Access Control Actions
| Action | When it fires |
|---|---|
permission_grant | A machine was granted access to secrets in a project |
bootstrap_token_create | A new bootstrap token was generated |
Team Actions
| Action | When it fires |
|---|---|
team_invite | An invite was sent to a user |
team_invite_accepted | A user accepted a vault invite |
team_invite_declined | A user declined a vault invite |
team_invite_cancelled | The owner cancelled a pending invite |
team_member_remove | A team member was removed from the vault |
team_permission_update | A team member's permissions were changed |
team_joined | Logged on the invitee's audit when they join a vault |
Authentication Actions
| Action | When it fires |
|---|---|
auth_failure | A machine authentication attempt failed (missing headers, unknown machine, disabled machine, invalid signature, etc.) |
login_success | A user logged in via password |
oauth_login | A user logged in via OAuth (GitHub) |
user_register | A new user account was created |
Account Actions
| Action | When it fires |
|---|---|
password_change | A user changed or set their password |
2fa_enable | Two-factor authentication was enabled |
2fa_disable | Two-factor authentication was disabled |
session_revoke | A user revoked a specific session |
session_revoke_all | A user revoked all other sessions |
Real-Time Updates
When an audit entry is recorded, it is immediately pushed to the vault owner's dashboard via Server-Sent Events (SSE). The audit log page updates in real time without polling or page refresh.
Email Alerts
If the vault owner has email alerts configured for an action, an email is dispatched asynchronously when that action fires. This is non-blocking and does not delay the original request. Alert preferences are managed from the Alerts page.
For example, if you enable alerts for auth_failure, you receive an email every time a machine authentication attempt fails against your vault.
Dashboard Filtering
The audit log page supports filtering and searching:
| Filter | What it does |
|---|---|
| Search | Searches the detail text (debounced, 300ms) |
| Action | Filter by specific action type from a dropdown |
| Source IP | Filter by exact source IP address |
| Time range | Filter to last hour, 24 hours, 7 days, or 30 days |
Filters are combined with AND logic. All filtering is done server-side with pagination. Click Clear to reset all filters.
Pagination
The audit log is paginated at 50 entries per page. The total entry count is shown at the bottom. Filters apply to the total count and pagination adjusts accordingly.
Team Member Actions
When a team member performs an action on a shared project (creating a secret, adding a machine, etc.), the audit entry is recorded on the vault owner's audit log with the team member's username in the detail string. For example:
- "Secret 'db-password' created by team member 'alice'"
- "Machine removed from project by 'bob'"
This gives the vault owner full visibility over what team members are doing in their shared projects.
What the Audit Log Does Not Contain
- Decrypted secret values: the audit log records that a secret was read, created, or rotated, but never the plaintext value.
- Passphrases: the passphrase is never logged.
- Private keys: machine private keys are never transmitted to SikkerKey, so they cannot appear in the audit log.