Audit Logging
Audit logs answer the question "who did what through your API, and when?" — providing a structured, searchable record of every request and business event that flows through your gateway. This page explains why audit logging matters and the options Zuplo gives you for capturing an audit trail.
Why audit logging?
Audit logging plays a critical role in API security: it lets you detect and investigate issues such as unauthorized access or permission elevation, and reconstruct exactly what happened to a resource after the fact. It's also a hard requirement for many compliance certifications (SOC 2, ISO 27001, HIPAA, PCI DSS) and a common buying criterion for enterprise customers of your API.
Unlike request logs — which are optimized for debugging and operational visibility — audit logs are structured business records: each event identifies an actor, an action, and the resources affected, in a stable format you can retain, search, and hand to an auditor.
Options for audit logging
Zuplo supports two approaches, depending on where you want your audit trail to live:
- Zuplo Audit Logs — the recommended approach for most APIs. Add a single policy and Zuplo records, stores, and indexes a structured audit event for every request. You can search the events in the Zuplo Portal, query them through the Zuplo API, and export them to a SIEM. No code or infrastructure required.
- Custom audit logs — write a small custom policy that sends audit events to any external audit provider (for example, WorkOS Audit Logs). Full control over the event format and destination.
| Zuplo Audit Logs | Custom audit logs | |
|---|---|---|
| Setup | Add a policy | Write policy code |
| Storage | Managed by Zuplo | Your provider |
| Viewing | Zuplo Portal + Zuplo API | Your provider's tools |
| Availability | Enterprise (free to test) | All plans |
Zuplo Audit Logs is an enterprise feature, but anyone can use it for free for development and testing purposes.
Gateway audit logs versus account audit logs
Zuplo has two separate audit trails — the options above all concern the first:
- Gateway audit logs record traffic through your API: requests from your API's consumers and custom events emitted by your gateway code.
- Account audit logs record administrative activity in your Zuplo account: project changes, team member management, deployments, and other portal and API operations.
Next steps
- Zuplo Audit Logs — enable the built-in feature and start recording events
- Custom audit logs — send audit events to an external provider
- Audit Logs policy reference — all configuration options and the full event shape