Every LLM request is logged with governance decision details. Use audit logs to demonstrate compliance, investigate incidents, and generate reports for your GRC team.
Audit Log Schema interface GovernanceAuditLog { id : string ; // "audit_xxx" orgId : string ; // Organization ID apiKeyId ?: string ; // API key used (if applicable) requestId : string ; // Correlation ID for tracing // Request details model : string ; // Requested model provider ?: string ; // Actual provider used (null if blocked) // Policy evaluation policyId : string ; // Policy ID applied policyName : string ; // Policy name policySlot ?: number ; // Tag slot (1-12 or null) // Decision allowed : boolean ; // Was request allowed? enforcement : "hard_block" | "soft_block" | "warn" ; violationReasons ?: string []; // If blocked/warned, why? // Metadata ipAddress ?: string ; // Client IP userAgent ?: string ; // Client user agent timestamp : string ; // ISO timestamp }
Query Audit Logs Get recent logs
TypeScript
Python
curl "https://api.case.dev/governance/audit-logs?limit=100" \ -H "Authorization: Bearer sk_case_xxx"
{ "logs" : [ { "id" : "audit_abc123" , "requestId" : "req_xyz789" , "timestamp" : "2025-01-10T14:30:00Z" , "model" : "claude-sonnet-4-20250514" , "provider" : "anthropic" , "policyId" : "gpol_xxx" , "policyName" : "Production - HIPAA" , "policySlot" : 1 , "allowed" : true , "enforcement" : "hard_block" }, { "id" : "audit_def456" , "requestId" : "req_uvw123" , "timestamp" : "2025-01-10T14:31:00Z" , "model" : "deepseek-chat" , "provider" : null , "policyId" : "gpol_xxx" , "policyName" : "Production - HIPAA" , "policySlot" : 1 , "allowed" : false , "enforcement" : "hard_block" , "violationReasons" : [ "Provider 'deepseek' is China-based and blocked by policy" , "Provider 'deepseek' does not meet minimum trust tier 'most_trusted'" ] } ], "pagination" : { "total" : 15420 , "limit" : 100 , "offset" : 0 , "hasMore" : true } }
Filter Audit Logs By Policy curl "https://api.case.dev/governance/audit-logs?policyId=gpol_xxx" \ -H "Authorization: Bearer sk_case_xxx"
Blocked Requests Only curl "https://api.case.dev/governance/audit-logs?allowed=false" \ -H "Authorization: Bearer sk_case_xxx"
By Date Range curl "https://api.case.dev/governance/audit-logs?startDate=2025-01-01&endDate=2025-01-31" \ -H "Authorization: Bearer sk_case_xxx"
By Provider curl "https://api.case.dev/governance/audit-logs?provider=anthropic" \ -H "Authorization: Bearer sk_case_xxx"
Compliance Reports Generate summary reports for compliance documentation.
Generate monthly report
TypeScript
Python
curl "https://api.case.dev/governance/reports?period=2025-01&policyId=gpol_xxx" \ -H "Authorization: Bearer sk_case_xxx"
{ "report" : { "id" : "rpt_xxx" , "generatedAt" : "2025-02-01T00:00:00Z" , "period" : { "start" : "2025-01-01T00:00:00Z" , "end" : "2025-01-31T23:59:59Z" }, "policy" : { "id" : "gpol_xxx" , "name" : "Production - HIPAA" }, "summary" : { "totalRequests" : 15420 , "allowedRequests" : 15419 , "blockedRequests" : 1 , "warnedRequests" : 0 , "complianceRate" : 99.99 }, "providerBreakdown" : { "anthropic" : { "requests" : 10250 , "allowed" : 10250 , "blocked" : 0 }, "openai" : { "requests" : 5169 , "allowed" : 5169 , "blocked" : 0 }, "deepseek" : { "requests" : 1 , "allowed" : 0 , "blocked" : 1 } }, "blockedRequests" : [ { "timestamp" : "2025-01-10T14:31:00Z" , "requestId" : "req_uvw123" , "model" : "deepseek-chat" , "reasons" : [ "China-based provider blocked" ], "ipAddress" : "203.0.113.42" } ], "complianceStatus" : "COMPLIANT" } }
CSV Export Export to CSV
TypeScript
Python
curl "https://api.case.dev/governance/audit-logs?format=csv&startDate=2025-01-01&endDate=2025-01-31" \ -H "Authorization: Bearer sk_case_xxx" \ -o audit-logs-january.csv
id, timestamp, request_id, model, provider, policy_name, allowed, enforcement, violations audit_abc123, 2025-01-10T14:30:00Z, req_xyz789, claude-sonnet-4-20250514, anthropic, Production - HIPAA, true, hard_block, audit_def456, 2025-01-10T14:31:00Z, req_uvw123, deepseek-chat, , Production - HIPAA, false, hard_block, "China-based provider blocked"
JSON Export Export to JSON
TypeScript
Python
curl "https://api.case.dev/governance/audit-logs?format=json&startDate=2025-01-01&endDate=2025-01-31" \ -H "Authorization: Bearer sk_case_xxx" \ -o audit-logs-january.json
Log Retention Tier Retention Period Free 7 days Pro 30 days Enterprise 90 days (or custom)
Extended Retention: Export logs to your own systems for longer retention. We recommend integrating with your SIEM or GRC platform.
GRC Integrations Integrate audit logs with your existing compliance tools.
Webhook Events Configure webhooks to receive real-time governance events:
Create webhook
TypeScript
Python
curl -X POST https://api.case.dev/webhooks \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "url": "https://your-siem.example.com/webhooks/case", "events": ["governance.request.blocked", "governance.request.warned"], "secret": "whsec_xxx" }'
Webhook Payload governance.request.blocked Event
{ "id" : "evt_xxx" , "type" : "governance.request.blocked" , "timestamp" : "2025-01-10T14:31:00Z" , "data" : { "requestId" : "req_uvw123" , "model" : "deepseek-chat" , "provider" : "deepseek" , "policyId" : "gpol_xxx" , "policyName" : "Production - HIPAA" , "violations" : [ "China-based provider blocked" ], "ipAddress" : "203.0.113.42" } }
Common Integrations Platform Integration Method Drata Webhooks + API export Vanta Webhooks + API export OneTrust API export Splunk Webhooks (HTTP Event Collector) Datadog Webhooks + Log forwarding AWS CloudTrail API export to S3
Sample Queries Find All Blocked Requests This Month curl "https://api.case.dev/governance/audit-logs?allowed=false&startDate=$( date -v-1m +%Y-%m-01)" \ -H "Authorization: Bearer sk_case_xxx"
Provider Usage by Policy curl "https://api.case.dev/governance/reports?groupBy=provider&policyId=gpol_xxx" \ -H "Authorization: Bearer sk_case_xxx"
Daily Compliance Summary curl "https://api.case.dev/governance/reports?period=2025-01-10&granularity=daily" \ -H "Authorization: Bearer sk_case_xxx"
Next Steps 
