Audit log

Sigil writes one row to audit_events for every state-changing, security-sensitive action. The portal’s Audit log page reads from it; you can also query it from your backend.

GET /v1/orgs/{orgID}/audit

Portal-only (Kratos session). Query params:

Name	Type	Notes
event_type	string	Filter to one of the values listed below.
success	bool	true (default both) or false.
limit	int	Default 50, max 200.
offset	int

Response:

{
  "data": {
    "items": [
      {
        "id": "aud_xxx",
        "timestamp": "2026-05-04T22:00:00Z",
        "organization_id": "org_xxx",
        "user_identity_id": "usr_xxx",
        "wallet_id": "wal_xxx",
        "actor_type": "end_user",
        "actor_id": "usr_xxx",
        "event_type": "wallet.created",
        "payload": { "chain_type": "evm", "address": "0x…" },
        "success": true,
        "error_code": ""
      }
    ],
    "total": 1234,
    "limit": 50,
    "offset": 0
  },
  "error": null
}

Event types

Stable strings, safe to switch on:

Type	When
wallet.created	Iframe successfully created a wallet.
recovery.initiated	OTP email sent for a recovery process.
recovery.verified	OTP accepted, shares returned to iframe.
recovery.completed	Polynomial rotated, new shares persisted.
api_key.created	Portal user minted a key.
api_key.revoked	Portal user revoked a key.
org.auth_updated	Auth config changed (sigil ↔ oidc, issuer, etc).
org.settings_updated	Branding / allowed origins / support email.
org.recovery_mode_updated	Customer-managed ↔ Sigil-managed.
webhook.updated	Recovery webhook URL upserted.
webhook.removed	Recovery webhook deleted.

Reliability

Audit writes are best-effort: a failure to write does not abort the originating request. We’d rather drop an audit row than refuse to authenticate a user. Failures are surfaced in the runtime logs with audit insert failed.