AuthZed Product Documentation
Concepts
Audit Logging

Audit Logging

Audit Logging is functionality exclusive to AuthZed products that publishes logs of SpiceDB API operations to a log sink.

Log Format

Logs contain the full details related to a request including:

  • API Token hash
  • Request Method
  • Request Body
  • Request IP
  • Response Body
  • Errors (if any)

Example

CheckPermission

{
 "specversion": "1.0",
 "id": "819b4d52db4797491e31d0228f381543",
 "source": "/ps/dev-ps/rc/us-east-1/p/dev-ps-abcd1234",
 "type": "/authzed.api.v1.PermissionsService/CheckPermission",
 "datacontenttype": "application/json",
 "time": "2023-12-18T17:33:11.783093248Z",
 "data": {
   "request": {
     "@type": "type.googleapis.com/authzed.api.v1.CheckPermissionRequest",
     "consistency": {
       "minimizeLatency": true
     },
     "resource": {
       "objectType": "resource",
       "objectId": "firstdoc",
       "permission": "read"
     },
     "subject": {
       "object": {
         "objectType": "user",
         "objectId": "tom"
       }
     },
     "response": {
       "@type": "type.googleapis.com/authzed.api.v1.CheckPermissionResponse",
       "checkedAt": {
         "token": "GgoKCENKcmt4QTA9"
       },
       "permissionship": "PERMISSIONSHIP_HAS_PERMISSION"
     },
     "metadata": {
       "token_hash": "c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2",
       "user-agent": "grpc-go/1.58.3",
       "x-request-id": "819b4d52db4797491e31d0228f381543"
     }
   }
 }
}

ReadSchema

{
  "specversion": "1.0",
  "id": "35cdd6662882bd387292ef78a650d18b",
  "source": "/ps/dev-ps/rc/us-east-1/p/dev-ps-abcd1234",
  "type": "/authzed.api.v1.SchemaService/ReadSchema",
  "datacontenttype": "application/json",
  "time": "2023-12-18T17:32:47.234247Z",
  "data": {
    "request": {
      "@type": "type.googleapis.com/authzed.api.v1.ReadSchemaRequest"
    },
    "response": {
      "@type": "type.googleapis.com/authzed.api.v1.ReadSchemaResponse",
      "schemaText": "definition folder {\n\trelation reader: user | service\n\tpermission read = reader\n}\n\ndefinition resource {\n\trelation reader: user | service\n\tpermission read = reader\n}\n\ndefinition service {}\n\ndefinition user {}",
      "readAt": {
        "token": "GhUKEzE3MDI5MjA0MjcxMjM2MDIwMDA="
      }
    },
    "metadata": {
      "token_hash": "c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2",
      "user-agent": "grpc-go/1.58.3",
      "x-request-id": "35cdd6662882bd387292ef78a650d18b"
    }
  }
}

Log Sinks

Log Sinks are the targets where logs will be shipped in order to be persisted.

Info: We're exploring additional Log Sinks.

Please reach out to your success team with any requests.

AWS Kinesis and Kinesis Firehose

As a prerequisite to use Kinesis (opens in a new tab) or Kinesis Firehose (opens in a new tab) as a log sink, an IAM role must exist in the AWS account with the necessary permissions to write to the Kinesis stream or Firehose delivery stream.

This is an example policy that grants the necessary permissions to write to a Firehose delivery stream:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "firehose:PutRecord"
            ],
            "Resource": "EXAMPLE_FIREHOSE_ARN"
        }
    ]
}

Dedicated

For Dedicated customers, this role will also need a trust policy which allows the role to be assumed by the AuthZed account in order to deliver logs to the stream.

To find the Dedicated AWS account ID, navigate to the Permission System's settings page, find the Audit Log settings, and choose "AWS Kinesis" or "AWS Kinesis Firehose" as the log sink. The account ID will be displayed in the configuration.

This is an example trust policy that allows the AuthZed account to assume the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "EXAMPLE_AUTHZED_ACCOUNT_ID"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "EXAMPLE_EXTERNAL_ID"
                }
            }
        }
    ]
}

Configuration

The process for setting up audit logging varies depending on the AuthZed product you're using.

Dedicated & Cloud

Using the web dashboard, navigate to the Permission System's settings page to find the Audit Log settings.

Self-Hosted

Use the following command-line flags:

FlagDescriptionDefault
--extender-enabledmust be set toauthzed-audit
--extender-audit-batch-size-limitdefines the maximum number of audit events to be processed as a unit10000
--extender-audit-buffer-sizedefines the size of the audit log buffer that holds events to be processed by workers1000000
--extender-audit-buffer-windowdefines maximum amount of time events are buffered before being pushed1s
--extender-audit-disabled-on-methods stringslist of comma-separated, fully-qualified API methods to disable events for. Watch API is always excluded (e.g. /authzed.api.v1.PermissionsService/CheckPermission)
--extender-audit-initial-retry-interval durationsets the first retry backoff in case of a failure to push audit events to the backend1s
--extender-audit-max-retry-interval durationsets the maximum backoff duration in case of failure to push events30s
--extender-audit-retry-randomizer-factorsets the randomization factor for the backoff duration - this helps prevent thundering herds on event push errors0.5
--extender-audit-stream-namedefines the name of the target stream/topic (e.g. Kafka Topic, Kinesis Stream...)spicedb
--extender-audit-target-configurationtarget-type specific configuration[]
--extender-audit-target-endpoint-url stringdefines the URL of target endpoint to ingest audit events. If left unspecified, some types will try to determine automatically (e.g. AWS SDK)
--extender-audit-target-typedefines the type of target to ingest audit eventsnoop
--extender-audit-worker-countdefines the number of worker goroutines to process audit events (default 5)

Tokens in Audit Logs

To identify which token was used for a request, look up its SHA-256 hash in the audit log's metadata. Each request's token_hash field contains the hashed value of the original token used.

Example of generating a SHA-256 hash:

$ python3 -c "import hashlib; print(hashlib.sha256('<authzed-token>'.encode()).hexdigest())"
> 2ffb5caf16962e4371bc036d8de2a99dfcea1ae70091ef2953d633a88d05321a
© 2025 AuthZed.