Audit log
Every code, every read, every change — logged.
Kaito records every meaningful action, retains it for a year, and exports it to your SIEM in real time. Hash-chained for tamper-evidence.
What we log
If it touched a secret, we wrote it down.
Authentication
- Sign-in success / failure
- MFA challenge issued / passed / failed
- Session created / revoked
- API key created / used / revoked
Tokens (TOTP)
- Token created / updated / deleted
- Code generated (web or API)
- Seed viewed (rare, flagged)
- Permission granted / revoked
SMS
- Number provisioned / released
- Inbound message received / read
- Outbound message sent (Business+)
- Webhook forwards
Organization
- User invited / removed / role changed
- Group changes
- Plan / billing events
- Org settings changes
Retention, export, integration
Plug it into the tools your security team already runs.
Retention
365 days standard, 7 years on Enterprise, configurable per-org.
Export
CSV, JSON, NDJSON. Filter by user, action, target, or date range.
Streaming
Webhooks (signed, retried), S3 / GCS sync (Business+), Datadog / Splunk / Panther (Enterprise).
Tamper-evidence
Each entry is hash-chained; we publish the rolling head hash at .well-known/audit-head.
Search
Index by every field. Common filters surfaced as one-click chips.
Replay
Reconstruct any user's session timeline for an incident.
A real query
Show, don't tell.
"Show me everyone who viewed the AWS root TOTP code in the last 7 days." Returns in milliseconds. Same query is the format we hand to your auditor.
bash
$ curl "https://api.kaito.io/v1/audit?action=token.code.generate&target=token:aws-root&since=7d" \
-H "Authorization: Bearer kto_live_••••••••"
# → [
{ "user": "marco@kaito.io", "ts": "2026-04-29T18:42:11Z", "ip": "…" },
{ "user": "priya@kaito.io", "ts": "2026-04-28T03:17:02Z", "ip": "…" },
]