Skip to main content
Devctrl logs every authorization decision. Every time an agent calls a tool through the gateway, an audit record is created — whether the call was allowed or denied.

What’s captured

Each audit record includes:
FieldDescription
IdentityWhich agent made the request (name, ID, labels)
TaskWhich task session was active (name, context, labels)
ToolWhich tool was called and with what arguments
DecisionAllow or deny
ReasonWhy the decision was made — which policy matched, or if it was the default action
Policy resultsPer-policy evaluation results showing which rules passed and which didn’t
ResponseThe upstream response and duration (for allowed calls)
TimestampWhen the call was made

Why it matters

Audit logs serve three purposes:
  • Compliance — prove to auditors that agents only accessed what they were authorized to access. Meets EU AI Act, GDPR, and SOC2 transparency requirements.
  • Debugging — understand why a tool call was denied. See exactly which policy rule blocked it and what context was evaluated.
  • Monitoring — track agent behavior over time. Spot anomalies, measure usage patterns, identify policy gaps.

Viewing audit logs

Navigate to Executions in the console to browse audit logs. You can filter by:
  • Identity name
  • Task name
  • Tool name
  • Decision (allow/deny)
  • Time range
Each entry expands to show the full evaluation context, including the CEL variables that were available during policy evaluation.

Durability

Audit records are designed to survive entity deletion:
  • If you delete an identity, its audit records remain
  • If you delete a task, its audit records remain
  • Audit records are only deleted when the entire project is deleted
Audit log retention depends on your plan. Free plans retain logs for 24 hours. Business plans retain logs for 30 days. Enterprise plans retain logs for 1 year.

Example audit record

{
  "id": "eval_abc123",
  "projectId": "proj_xyz",
  "identityId": "id_support01",
  "identityName": "support-agent",
  "taskId": "task_resolve",
  "taskName": "resolve-ticket",
  "tool": "get_customer",
  "arguments": { "customer_id": "cust_456" },
  "decision": "ALLOW",
  "policyResults": [
    {
      "policyName": "allow-support-reads",
      "type": "allow",
      "expression": "identity.labels.team == \"support\" && request.tool.name.startsWith(\"get_\")",
      "result": true
    }
  ],
  "duration": "142ms",
  "timestamp": "2026-04-10T12:30:45Z"
}

Next steps

View executions

Browse and filter audit logs in the console.

Policies

Understand how policies create the rules that audit logs record.