Audit Log
Every MCP tool call that passes through Vinkius Cloud is logged immutably. Every request, every response, every redaction, every truncation — captured with full metadata, searchable, and tamper-proof.
You don't wonder what your AI agents are doing. You know.
What gets logged
Every log entry captures the complete context of a tool call. Below is the exact table structure visible in the Audit Log tab:
Column reference
| Column | What it captures |
|---|---|
| Timestamp | Exact time of the tool call (UTC, millisecond precision) |
| Tool | Which MCP tool was invoked (e.g., get_pet_by_id, delete_pet) |
| Verb | Semantic classification: QUERY (read), MUTATION (write), or DESTRUCTIVE (delete) |
| Code | Upstream API HTTP response status (color-coded: green 2xx, amber 4xx, red 5xx) |
| Time | Round-trip response time in milliseconds |
| DLP | Number of fields redacted by the DLP engine (amber when > 0) |
| Client | Which connection token initiated the request (name hint, not the plaintext token) |
Semantic verb classification
Every tool call is automatically classified based on its MCP annotation and HTTP method:
readOnlyHint: true. No side effects on your data.destructiveHint: true. Highlighted in red so destructive actions are immediately visible in the log feed.DLP-aware logging
When DLP is enabled, the audit log captures governance activity alongside the tool call:
- Redaction count — how many fields were redacted in this specific response (displayed in the DLP column; amber when > 0)
- Pattern matched — which DLP pattern triggered the redaction (credit card, email, SSN, or custom regex)
- Field path — which JSON path was redacted (e.g.,
customer.email,payment.card_number)
Critically, the audit log never records the original sensitive value. The log shows customer.email: [REDACTED by pattern:email] — not the actual email address. This allows compliance teams to verify that DLP is working correctly without re-exposing the data it was designed to protect.
Buyer privacy guard
When a server is published on the Marketplace, the audit log is automatically disabled. Sellers cannot view individual buyer request logs — this protects buyer privacy and prevents sellers from identifying individual subscribers through per-request analysis.
Retention tiers
FinOps Guard observability
Audit logs also capture FinOps Guard activity. When an API response contains arrays that exceed the configured maximum, the log entry records:
- The original array length before truncation
- The truncated length after FinOps processing
- Which field was truncated
- The configured limit that triggered truncation
This gives you full visibility into how FinOps Guard is affecting your AI model's data. If the model starts producing lower-quality outputs, you can trace the issue to specific truncations and adjust limits accordingly.
Compliance readiness
AI agent observability is rapidly becoming a regulatory requirement. Vinkius Cloud's audit log is designed with compliance in mind:
The industry context
Most MCP platforms today provide server-level logs — HTTP access logs, error logs, connection counts. These capture infrastructure events but not the semantic layer: which tool was called, what the AI model sent, what the API returned, and what governance transformations (DLP redaction, FinOps truncation) were applied in transit.
Without this level of observability, teams cannot answer fundamental questions about their AI agents:
- "What data did the AI model access last Tuesday?"
- "Which connection token made the most destructive tool calls?"
- "Was PII properly redacted in the response to that customer query?"
- "How many API responses were truncated by FinOps this week?"
Emerging solutions like MintMCP Gateway and Sentry's AI tracing address pieces of this problem. But they operate outside the MCP transport layer — they instrument the agent framework, not the proxy itself. This means they can log tool invocations but cannot capture the transformations that happen between the API response and the AI model.
Vinkius Cloud's audit log operates at exactly the right point in the data flow. It captures the tool call, the upstream response, every DLP redaction, every FinOps truncation, and the final sanitized payload — all in a single, immutable log entry. No SDK integration. No agent framework instrumentation. No configuration beyond toggling the feature on.
Next steps
Frequently Asked Questions
What information does the audit log capture?
Every log entry records the timestamp (UTC, millisecond precision), tool name, semantic verb (QUERY, MUTATION, or DESTRUCTIVE), upstream HTTP status code, round-trip response time, number of DLP redactions, and which connection token initiated the request.
Does the audit log contain sensitive data?
No. When DLP is enabled, the audit log records which fields were redacted and which pattern was matched, but it never stores the original sensitive value. For example, it logs customer.email: [REDACTED by pattern:email] — not the actual email address.
How long are audit logs retained?
Retention depends on your plan: Free tier provides real-time feed only (no persistence), Team plan includes 7-day searchable history, and Business plan offers 30-day immutable logs that cannot be modified or deleted — even by account administrators.
Can sellers see buyer request logs on the Marketplace?
No. When a server is published on the Marketplace, the audit log is automatically disabled for buyer privacy protection. Sellers can only see aggregate metrics (total requests, error rate, latency) on the Dashboard tab.
Does the audit log track DLP and FinOps Guard activity?
Yes. Every DLP redaction event is logged with the redaction count, matched pattern, and affected field path. FinOps Guard truncations are also recorded with the original array length, truncated length, affected field, and configured limit.
Is the audit log suitable for compliance audits?
Yes. The Business plan provides SOC 2 Type II, GDPR, HIPAA, and PCI-DSS compliance-ready logs. Entries are tamper-proof (write-once, no modifications), include full identity tracking via connection tokens, and document every AI agent interaction with your APIs.