Tamper-Evident Audit Logging API
GoodAudit gives your SaaS cryptographic proof that audit logs haven't been tampered with. Ship HIPAA, SOC 2, PCI-DSS, and GDPR evidence packages with a single API call.
POST /api/v1/audit-logs
{
"action": "patient_chart_viewed",
"actor_id": "usr_8xK2mN",
"resource_type": "medical_record",
"resource_id": "rec_4jP9qL",
"outcome": "success",
"extensions": {
"hipaa": { "phi_accessed": true }
}
}
// Response: entry chained with HMAC-SHA-256
// sequence_number: 1847, checksum: "a3f8c1..."The Problem
Traditional audit logs live in the same database as everything else. Anyone with write access can silently rewrite history — and you'd never know. When an auditor asks "prove these logs are authentic," most teams can't.
Database admins can alter or delete log entries with no trace. Standard ORMs provide zero integrity guarantees.
Audit prep takes weeks of querying, formatting, and cross-referencing logs into framework-specific evidence packages.
Self-attested logs carry no weight in legal proceedings or regulatory investigations. You need an external witness.
How It Works
Send events through our API. We chain, verify, and anchor them — so you can prove integrity to any auditor, regulator, or court.
Log any action — PHI access, config changes, login attempts — with a single POST. We accept your schema and validate against active compliance frameworks.
Each entry is assigned a gap-free sequence number and an HMAC-SHA-256 checksum chained to the previous entry. Altering any record breaks the chain.
Generate framework-specific compliance reports — HIPAA PHI access logs, SOC 2 change evidence, PCI-DSS access reports — with verified chain integrity.
Features
GoodAudit isn't a GRC platform you log into quarterly. It's the cryptographic backbone your application writes to on every action.
Every audit entry is cryptographically chained to its predecessor using per-account HMAC keys. Altering, inserting, or deleting any record breaks the chain — detectable by anyone with verification access.
Checkpoints are signed by an independent witness service using Ed25519 keypairs. Even if your entire database is compromised, anchored records are provably intact.
Built-in event taxonomies and report templates for HIPAA, SOC 2, PCI-DSS, GDPR, and ISO 27001. Activate frameworks per account and get pre-built evidence packages for each.
Fine-grained permissions with public keys for read access and secret keys for writes. Scope by operation, resource, or environment. Keys are hashed at rest with prefix-based identification.
Rotate HMAC keys without breaking historical verification. Versioned keys with dual-verify windows ensure continuous chain integrity during cutover. Every rotation is itself an audited event.
Retention is automatically computed from active frameworks — HIPAA's 6 years, PCI-DSS's 1 year, GDPR's purpose-based limits. Conflicts are surfaced, not silently resolved.
Compliance Frameworks
Each framework defines event taxonomies, report templates, and retention rules. Activate the frameworks you need — we generate the evidence packages your auditors expect.
PHI access reports, user activity logs, failed authentication tracking, minimum necessary compliance.
Change management evidence, production access logs, incident response timelines, control activity summaries.
Cardholder data access logs, key management reports, network access tracking, privileged user activity.
Records of processing activities, data subject request logs, consent tracking, cross-border transfer records.
Information security event logs, access control evidence, incident management records, management review data.
Define your own event taxonomies, validation rules, and report templates. Map internal actions to any framework.
External Anchoring
An HMAC chain proves internal consistency, but the same system that stores your logs also stores the checksums. Anyone with full database access could rewrite both. That's why GoodAudit anchors checkpoints to checksum.dev — an independent cryptographic witness service.
Every hour, GoodAudit submits your chain's checkpoint data to checksum.dev, which signs it with Ed25519 keypairs and stores the receipt independently. Once anchored, your audit trail is provably intact — verifiable by auditors, regulators, or courts without trusting GoodAudit's infrastructure at all.
GoodAudit creates a checkpoint
Chain head checksum + sequence number + timestamp
Checkpoint sent to checksum.dev
POST /api/v1/anchors
checksum.dev signs with Ed25519
Returns signature, anchored_at, signing_key_id
Receipt stored on both sides
Independent proof — verifiable without trusting either system
Zero-trust verification: Auditors can verify anchored checkpoints directly against checksum.dev's public JWKS endpoint — no access to GoodAudit required.
Developer Experience
A clean REST API with OpenAPI specs, typed SDKs, and scoped API keys. No agent to install, no SIEM to configure. Send structured events — we handle the cryptography, chaining, and compliance mapping.
GET /api/v1/chain/verify
{
"status": "intact",
"entries": 184,729,
"gaps": 0,
"checkpoints": 2,847,
"anchor_results": {
"anchored": 2,841,
"pending": 6,
"signatures": "all_valid",
"key_status": "trusted"
}
}Why Teams Switch
Reduction in audit prep time
Median API response
To first audit entry
Ship your first tamper-evident audit entry in under 5 minutes. No credit card required.