Tamper-Evident Audit Logging API
GoodAudit gives your SaaS cryptographic proof that audit logs haven't been tampered with. Session recordings, consent certificates, and compliance evidence packages for TCPA, HIPAA, SOC 2, PCI-DSS, and GDPR — all from one API.
POST /api/v1/audit-logs
{
"action": "patient_chart_viewed",
"actor_id": "usr_8xK2mN",
"resource_type": "medical_record",
"resource_id": "rec_4jP9qL",
"outcome": "success",
"extensions": {
"hipaa": { "phi_accessed": true }
}
}
// Response: entry chained with HMAC-SHA-256
// sequence_number: 1847, checksum: "a3f8c1..."The Problem
Traditional audit logs live in the same database as everything else. Anyone with write access can silently rewrite history — and you'd never know. When an auditor asks "prove these logs are authentic," most teams can't.
Database admins can alter or delete log entries with no trace. Standard ORMs provide zero integrity guarantees.
Audit prep takes weeks of querying, formatting, and cross-referencing logs into framework-specific evidence packages.
Self-attested logs carry no weight in legal proceedings or regulatory investigations. You need an external witness.
How It Works
Send events through our API. We chain, verify, and anchor them — so you can prove integrity to any auditor, regulator, or court.
Log any action — PHI access, config changes, login attempts — with a single POST. We accept your schema and validate against active compliance frameworks.
Each entry is assigned a gap-free sequence number and an HMAC-SHA-256 checksum chained to the previous entry. Altering any record breaks the chain.
Generate framework-specific compliance reports — HIPAA PHI access logs, SOC 2 change evidence, PCI-DSS access reports — with verified chain integrity.
Features
GoodAudit isn't a GRC platform you log into quarterly. It's the cryptographic backbone your application writes to on every action.
Every audit entry is cryptographically chained to its predecessor using per-account HMAC keys. Altering, inserting, or deleting any record breaks the chain — detectable by anyone with verification access.
Checkpoints are signed by an independent witness service using Ed25519 keypairs. Even if your entire database is compromised, anchored records are provably intact.
Built-in event taxonomies and report templates for HIPAA, SOC 2, PCI-DSS, GDPR, and ISO 27001. Activate frameworks per account and get pre-built evidence packages for each.
Fine-grained permissions with public keys for read access and secret keys for writes. Scope by operation, resource, or environment. Keys are hashed at rest with prefix-based identification.
Rotate HMAC keys without breaking historical verification. Versioned keys with dual-verify windows ensure continuous chain integrity during cutover. Every rotation is itself an audited event.
Capture full DOM session recordings via rrweb, checksummed with SHA-256 and chained into your audit log. Replay in-dashboard or mint signed URLs for external playback.
Mint shareable, time-boxed certificate URLs that prove who consented, when, where, and to what — backed by your HMAC chain. A cryptographically stronger alternative to TrustedForm.
Retention is automatically computed from active frameworks — HIPAA's 6 years, PCI-DSS's 1 year, GDPR's purpose-based limits. Conflicts are surfaced, not silently resolved.
TCPA Compliance
TrustedForm gives you a certificate. GoodAudit gives you the full picture — tamper-evident session recordings that capture exactly what a consumer saw and did, plus cryptographically chained consent certificates that prove the recording hasn't been altered. Every frame, every click, every consent event is HMAC-chained into your audit log.
When a TCPA dispute hits, you don't just have a timestamp and an IP address. You have a visual replay of the entire session, a signed consent certificate, and a cryptographic proof chain that holds up in court. See it in action at goodleads.dev — a lead generation platform built on GoodAudit's session recording and consent infrastructure.
TrustedForm: Certificate with timestamp, IP, and page snapshot
GoodAudit: Full session recording + consent certificate + cryptographic chain proof
TrustedForm
Point-in-time snapshot
Self-attested certificate
No replay capability
Separate system to manage
GoodAudit
Full DOM session recording
HMAC-chained proof
Embeddable replay
Part of your audit infrastructure
Live example: goodleads.dev uses GoodAudit session recordings and consent certificates to provide TCPA-compliant lead generation with full visual proof of consumer consent.
Compliance Frameworks
Each framework defines event taxonomies, report templates, and retention rules. Activate the frameworks you need — we generate the evidence packages your auditors expect.
Session recordings of consumer consent, signed consent certificates, visual proof for dispute defense, lead-level audit trails.
PHI access reports, user activity logs, failed authentication tracking, minimum necessary compliance.
Change management evidence, production access logs, incident response timelines, control activity summaries.
Cardholder data access logs, key management reports, network access tracking, privileged user activity.
Records of processing activities, data subject request logs, consent tracking, cross-border transfer records.
Information security event logs, access control evidence, incident management records, management review data.
Define your own event taxonomies, validation rules, and report templates. Map internal actions to any framework.
External Anchoring
An HMAC chain proves internal consistency, but the same system that stores your logs also stores the checksums. Anyone with full database access could rewrite both. That's why GoodAudit anchors checkpoints to checksum.dev — an independent cryptographic witness service.
Every hour, GoodAudit submits your chain's checkpoint data to checksum.dev, which signs it with Ed25519 keypairs and stores the receipt independently. Once anchored, your audit trail is provably intact — verifiable by auditors, regulators, or courts without trusting GoodAudit's infrastructure at all.
GoodAudit creates a checkpoint
Chain head checksum + sequence number + timestamp
Checkpoint sent to checksum.dev
POST /api/v1/anchors
checksum.dev signs with Ed25519
Returns signature, anchored_at, signing_key_id
Receipt stored on both sides
Independent proof — verifiable without trusting either system
Zero-trust verification: Auditors can verify anchored checkpoints directly against checksum.dev's public JWKS endpoint — no access to GoodAudit required.
Developer Experience
A clean REST API with OpenAPI specs, typed SDKs, and scoped API keys. No agent to install, no SIEM to configure. Send structured events — we handle the cryptography, chaining, and compliance mapping.
GET /api/v1/chain/verify
{
"status": "intact",
"entries": 184,729,
"gaps": 0,
"checkpoints": 2,847,
"anchor_results": {
"anchored": 2,841,
"pending": 6,
"signatures": "all_valid",
"key_status": "trusted"
}
}Why Teams Switch
Reduction in audit prep time
Median API response
To first audit entry
Ship your first tamper-evident audit entry in under 5 minutes. No credit card required.