Your vault keeps receipts.
Every secret read, every permission change, every machine authentication - logged the moment it happens. Filter by action, severity, machine, or time range. Export to CSV. Get email alerts and webhook notifications on the events you care about. Lock your vault to specific networks with IP allowlisting.
Severity-tagged from the start
Every audit entry is classified by severity so you can focus on what matters. Filter your log by severity level, or configure email alerts to fire only on the events you care about.
Alerts on the events that matter
Configure per-action email alerts from the dashboard. Toggle exactly which actions trigger a notification. When a critical event fires, you get an email with the action, detail, source IP, and timestamp - before the attacker knows you noticed.
For automated workflows, set up webhooks that deliver signed JSON payloads to your own HTTP endpoints. Each delivery is signed with HMAC-SHA256 so you can verify authenticity. Subscribe to exactly the events you need and integrate with Slack, PagerDuty, or your own tooling.
Docs →
Live updates, no refresh
Audit events stream to your dashboard in real time via server-sent events. See a secret read the moment it happens. Watch machine registrations appear as they come in. The overview page shows a live activity feed with warning highlights for denied reads and auth failures.
Docs →
Export everything
Download your full audit log as CSV with one click. Filter first, then export - get exactly the records you need for compliance reviews, incident investigations, or regulatory reporting. All fields included: timestamp, action, severity, source IP, machine ID, secret ID, and detail.
Docs →
Lock your vault to your network
Restrict machine access to specific IP addresses or CIDR ranges. When IP allowlisting is enabled, requests from IPs not on the list are rejected immediately - before authentication even runs. The response is a generic denial that reveals nothing about the vault.
Define your allowed networks in the dashboard. Add individual IPs, CIDR ranges, or both. Supports IPv4 and IPv6. Every change to the allowlist is recorded in the audit log.
Docs →
Built for accountability
Every detail, every actor, every timestamp.
Full attribution
Every entry records who did what: user ID, machine ID, source IP, and a human-readable detail string. No anonymous actions.
Filterable log
Filter by action type, severity level, time range, or search by keyword. Find the exact event you're looking for in seconds.
Plan-based retention
Audit log retention scales with your plan. Free plans retain 7 days. Paid plans retain 30, 90, or 365 days depending on tier.
Machine-attributed reads
Every secret read records which machine accessed it, from which IP, at what time. Trace exactly how your secrets are being consumed.
Reads over time
Visual charts showing secret read volume per project over time. Spot anomalies, track usage patterns, and identify unexpected access.
Tamper-resistant
Audit entries are append-only. Users cannot edit or delete their own audit log. The trail is authoritative.
Stop guessing who accessed what.
Every read, every change, every machine - logged and attributed. Start for free.
Get Started Free