Audit API

The audit API exposes per-day Merkle heads and inclusion proofs. Heads are in the central plane so you can verify them independently of any single appliance; bodies stay on the appliance.

Heads

GET /v1/tenants/{tenant_id}/audit/heads?day=2026-04-18

{
  "data": [
    {
      "appliance_id": "app_01HZ...",
      "day": "2026-04-18",
      "event_count": 12843,
      "last_sequence": 12843,
      "merkle_root": "b7c5...f21a",
      "signature": "MEUCIQ...",
      "signed_at": "2026-04-19T00:00:05Z"
    }
  ]
}

The signature is verifiable against the appliance’s fleet-signed certificate. Verification is deliberately simple — we document the exact byte ordering in the security whitepaper.

Inclusion proof

GET /v1/tenants/{tenant_id}/audit/proof?appliance_id=...&day=2026-04-18&request_id=req_01HZ...

Returns the Merkle path for a single event. The proof is self-contained — you can verify it on your laptop with 20 lines of code.

Retention

• Heads in central plane: 10 years.
• Bodies on appliance: configurable (default 90 days, up to 7 years).

For statutory retention obligations longer than the appliance storage capacity, we recommend exporting bodies to your own cold-storage tier on a rolling basis — see Audit export.