1.4 Audit Logging

The audit system records a controlled trail of significant business operations across the platform. It captures who did what, when, why, and with what result, covering companies, tenants, memberships, API keys, authentication, players, alerts, and control-plane operations.

Audit rows are protected from modification once written. Workspace (company) owners can clear workspace audit logs through the dashboard, and logs are retained for 90 days by default.

What Is Audited

• All sensitive Game Studio write operations (create, update, delete, transfer)
• Authentication events (login, logout, 2FA, password changes)
• Membership lifecycle (invite, accept, reject, remove, leave)
• API key and game auth key management
• Alert and webhook configuration changes
• Player identity operations (wallet challenges, email verification, bans)
• Quota warning threshold crossings
• Control-plane failures on write paths

What Is Intentionally Not Audited

To keep the trail focused on meaningful changes, the following are excluded:

• Read-only endpoint access
• Generic validation failures (400s from malformed payloads)
• GET request exceptions
• Requests to the audit log endpoints themselves