Skip to content

Tail and Query the Audit Stream

Use audit when a request is denied, step-up is triggered, delegation behaves unexpectedly, or an operator needs evidence for a run.

  1. Open caracal web.
  2. Select Audit.
  3. Filter by zone, decision, event type, or request ID.
  4. Open the event detail to inspect metadata, determining policies, and diagnostics.
  5. Open the decision trace from the event for a full request-level view.
import { AdminClient } from "@caracalai/admin";
const admin = new AdminClient({
apiUrl: process.env.CARACAL_API_URL!,
adminToken: process.env.CARACAL_ADMIN_TOKEN!,
});
const events = await admin.audit.list(process.env.CARACAL_ZONE_ID!, {
decision: "deny",
limit: 25,
});
const trace = await admin.audit.explain(process.env.CARACAL_ZONE_ID!, events[0].request_id!);
console.log(trace.final_decision, trace.denied);
FilterUse it for
Request IDStitch together STS, Gateway, connector, and explain events.
DecisionFind denies, allows, or partial decisions.
Event typeFocus on policy, session, delegation, step-up, or admin changes.
Time windowInvestigate a run, incident, or rollout.
  • request ID;
  • zone ID;
  • application ID;
  • resource identifier;
  • requested scopes;
  • final decision;
  • determining policies;
  • diagnostics;
  • session or delegation edge IDs when present.

Related page: Audit and Request Traces.