Audit Log
Monitor and review all API calls made through MCP connections
Every API call made through an MCP connection is automatically logged. The audit log records which token was used, what was called, and the response status.
Viewing the audit log
Go to Settings → MCP → Activity Log to see recent MCP activity.
Each entry shows:
| Field | Description |
|---|---|
| Time | When the API call was made (relative timestamps for recent entries) |
| Token | Name of the MCP token used |
| Method | HTTP method (GET, POST, PUT, PATCH, DELETE) |
| Path | API path called (e.g., /api/v1/clusters) |
| Status | HTTP status code (color-coded: green=2xx, yellow=4xx, red=5xx) |
Filtering
When multiple tokens have been used, a dropdown filter appears to show activity from a specific token only.
How it works
- An MCP tool (e.g.,
list_clusters) makes an internal API call to/api/v1/clusters - The auth middleware recognizes the
pwm_token and validates it - The request proceeds through normal API handling
- After the response, the middleware fires a background task to insert an audit log entry
- The entry records the token ID, token name, HTTP method, path, and status code
Audit logging is fire-and-forget — it never blocks or slows down the actual API call.
API access
Per-token audit log
GET /api/v1/settings/mcp-tokens/{token_id}/audit?limit=100Returns the most recent entries for a specific token.
Global audit log
GET /api/v1/settings/mcp-audit?limit=100Returns the most recent entries across all tokens. Maximum limit is 500.
Response format
[
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"token_name": "Claude Desktop",
"method": "GET",
"path": "/api/v1/clusters",
"status_code": 200,
"created_at": "2026-02-28T03:42:00+00:00"
}
]Hub tunnel entries
When tool calls come through the Hub MCP tunnel, audit entries show "Hub Tunnel (hub)" as the token name and use method "TOOL" with a path like /mcp/tool/list_clusters. This makes it easy to distinguish Hub-proxied calls from direct MCP connections.
You can filter the activity log by token name to see only Hub tunnel activity.
What gets logged
Every API call triggered by an MCP tool is logged — whether the tool was called directly or through the Hub tunnel. A single tool invocation may generate multiple audit entries if it makes multiple API calls. For example:
troubleshoot_workloadcalls the assignment endpoint, then the definition endpoint, then the cluster endpoint, then the logs endpoint — that's 4 audit entrieslist_clustersmakes one API call — that's 1 audit entrydeploy_workloadcalls the deploy endpoint — that's 1 audit entry (the background deployment itself is not logged as MCP activity)
Retention
Audit log entries are stored indefinitely. To manage database size, you can periodically clean old entries:
DELETE FROM mcp_audit_log WHERE created_at < NOW() - INTERVAL '90 days';