Skip to main content

Audit Logs

Every action in Conto — creating agents, executing payments, changing policies, freezing accounts — is recorded in an immutable audit log with SHA-256 hash chains for tamper detection.

What Gets Logged

Actions

ActionDescription
CREATEResource created (agent, wallet, policy, etc.)
UPDATEResource modified
DELETEResource removed
APPROVE / REJECTApproval decision made
SUSPEND / ACTIVATEAgent frozen or unfrozen
FUND / WITHDRAW / TRANSFERWallet balance changes
PAYMENT_EXECUTEDPayment submitted onchain
PAYMENT_CONFIRMEDPayment confirmed onchain
PAYMENT_DENIEDPayment blocked by policy
PAYMENT_FAILEDPayment transaction failed
EXTERNAL_PAYMENT_APPROVALExternal wallet payment approved
EXTERNAL_PAYMENT_CONFIRMEDExternal wallet payment confirmed
POLICY_VIOLATIONPolicy rule triggered
ALERT_CREATED / ALERT_RESOLVEDAlert lifecycle
SETTINGS_CHANGEDOrganization settings modified
PERMISSION_GRANTED / PERMISSION_REVOKEDRole or scope changes
LOGIN / LOGOUTUser session events
AUDIT_LOG_EXPORTEDAudit log data exported

Resources

Logs track actions on: agent, wallet, transaction, policy, policy_rule, organization, user, member, api_key, sdk_key, alert, counterparty, relationship, settings, approval_request, approval_workflow, payment_request.

Log Entry Fields

Each audit log entry contains:
FieldDescription
actionWhat happened (CREATE, UPDATE, DELETE, etc.)
resourceWhat type of resource was affected
resourceIdID of the affected resource
previousStateState before the change (JSON)
newStateState after the change (JSON)
actorTypeWho did it: USER, API, AGENT, or SYSTEM
actorIdUser ID, API key ID, or “system”
ipAddressClient IP (from reverse proxy headers)
userAgentClient user agent string
metadataAdditional context (audit hash, change diff, API key ID)
createdAtWhen the action occurred

Change Detection

When a resource is updated, the audit service automatically diffs the previous and new states and records which fields changed: 
{
  "changes": [
    { "field": "status", "oldValue": "ACTIVE", "newValue": "SUSPENDED" },
    { "field": "spendLimitDaily", "oldValue": 1000, "newValue": 500 }
  ]
}

Tamper-Evident Hash Chain

Each log entry includes a SHA-256 hash computed over the previous entry’s hash, the timestamp, action, resource, and state data. This creates a chain where modifying any entry invalidates all subsequent hashes. You can verify chain integrity via the API: 
curl -X POST https://conto.finance/api/audit-logs/verify \
  -H "Authorization: Bearer $CONTO_ORG_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "startDate": "2026-01-01T00:00:00Z",
    "endDate": "2026-04-07T00:00:00Z"
  }'
Response: 
{
  "valid": true,
  "totalLogs": 1247,
  "verifiedLogs": 1247
}
If tampering is detected, the response includes brokenAt with the ID of the first compromised entry.

Viewing Logs

Dashboard

Go to Audit Logs in the sidebar. Filter by:
  • Action type
  • Resource type
  • Actor (user or API key)
  • Date range

API

curl "https://conto.finance/api/audit-logs?resource=agent&action=SUSPEND&limit=20" \
  -H "Authorization: Bearer $CONTO_ORG_KEY"

IP Attribution

Audit logs capture the client IP address using platform-set headers in this priority order:
  1. cf-connecting-ip (Cloudflare)
  2. x-real-ip (nginx)
  3. x-forwarded-for first entry (Vercel)
This allows tracing actions back to specific network locations for security investigations.