Audit & Monitoring
Track security-relevant events, detect suspicious activity, and maintain an audit trail of who changed what and when.
Security monitoring
Temps surfaces the following security signals in the dashboard and via the API:
| Signal | Where to find it |
|---|---|
| Failed login attempts | Audit log, filtered by event type auth.login_failed |
| Unauthorized API access | Audit log (auth.unauthorized) + server logs |
| TLS certificate expiry | Dashboard notification + email alert (if email provider is configured) |
| WAL health warnings | Service detail page for managed PostgreSQL services |
| OOM-killed containers | Service runtime panel (oom_killed flag) |
For application-level error tracking (crashes, exceptions, performance regressions), see Error Tracking and Monitoring.
Audit log
Every write operation in Temps emits a structured audit event. Events record:
- Who — the user ID and email, or the API key identifier
- What — the event type and the resource affected (project ID, deployment ID, etc.)
- When — ISO 8601 timestamp in UTC
- From where — the client IP address (XFF-aware, with spoofing protection — only trusted when the direct TCP peer is loopback)
Audit events are stored in the Temps database and accessible via the dashboard under Settings → Audit Log and via the API.
Retention
Audit events are retained indefinitely by default. If storage is a concern, configure a retention policy by deleting old rows on a schedule or configuring your database's partitioning or TTL features.
Audit events reference
Authentication events
| Event | Trigger |
|---|---|
auth.login_success | Successful login (any method) |
auth.login_failed | Failed login attempt |
auth.logout | User logged out |
auth.mfa_enabled | MFA enabled on an account |
auth.mfa_disabled | MFA disabled |
auth.password_changed | In-app password change |
auth.password_reset_requested | Self-service reset link requested |
auth.api_key_created | API key created |
auth.api_key_revoked | API key revoked |
OIDC / SSO events
| Event | Trigger |
|---|---|
oidc_provider.created | New SSO provider configured |
oidc_provider.updated | Provider settings changed (includes fields_changed list) |
oidc_provider.deleted | Provider removed |
oidc_role_mapping.created | Role mapping added |
oidc_role_mapping.deleted | Role mapping removed |
Project & deployment events
| Event | Trigger |
|---|---|
project.created | New project created |
project.deleted | Project deleted |
deployment.triggered | Deployment started manually or via git push |
deployment.cancelled | Deployment cancelled |
environment.created | New environment created |
environment.deleted | Environment deleted |
Settings & access events
| Event | Trigger |
|---|---|
team.member_invited | Team member invited |
team.member_role_changed | Role changed for a team member |
team.member_removed | Team member removed |
settings.updated | Platform settings changed |
email_provider.created | Email provider added |
email_provider.updated | Email provider edited (logs field names changed, never values) |
email_provider.deleted | Email provider removed |
backup_schedule.created | Backup schedule created |
backup_schedule.updated | Backup schedule modified |
backup_schedule.deleted | Backup schedule deleted |
Querying the audit log
Dashboard
Navigate to Settings → Audit Log. Filter by event type, user, date range, or resource ID.
API
# List recent audit events
GET /api/audit-log?limit=50&event_type=auth.login_failed
# Filter by user
GET /api/audit-log?user_id=42&from=2026-01-01T00:00:00Z
# Filter by resource
GET /api/audit-log?resource_type=project&resource_id=7
Events are returned in reverse chronological order (newest first) with standard pagination.