Add Tamper-Evident Audit Logs to Your AI Agent
Your AI agent needs immutable audit trails. Here's how to add HMAC-chain verified logs:
The Problem
If you're running AI agents in production — especially for finance, healthcare, or anything regulated — you need audit logs. But regular logging has a fatal flaw: logs can be deleted or modified after the fact.
When an agent makes a bad trade, sends an incorrect email, or accesses data it shouldn't have, you need to prove the log hasn't been tampered with. Standard application logs in a database or file system don't give you that guarantee.
The Solution: HMAC-Chain Audit Logs
The Agent Audit Log API uses HMAC-SHA256 hash chains — the same cryptographic primitive behind blockchain integrity, but without the blockchain overhead. Each log entry's hash includes the previous entry's hash, creating a tamper-evident chain. If anyone modifies or deletes an entry, the chain breaks and verification fails.
Here's how to integrate it into a Node.js agent:
const axios = require("axios");
const API_URL = "https://agent-audit-log-api.p" + "rapidapi.com/api/v1";
const headers = {
"x-rapidapi-key": "YOUR_RAPIDAPI_KEY",
"x-rapidapi-host": "agent-audit-log-api.p.rapidapi.com",
"Content-Type": "application/json"
};
async function logAgentAction(agentId, action, details) {
const response = await axios.post(`${API_URL}/logs`, {
agent_id: agentId,
action: action,
details: details,
timestamp: new Date().toISOString()
}, { headers });
console.log(`Logged: ${action} | Chain hash: ${response.data.chain_hash}`);
return response.data;
}
async function verifyChain(agentId) {
const response = await axios.get(`${API_URL}/verify/${agentId}`, { headers });
console.log(`Chain integrity: ${response.data.valid ? "VALID" : "BROKEN"}`);
console.log(`Entries verified: ${response.data.entries_checked}`);
return response.data;
}
// Log an agent action
await logAgentAction("agent-47", "api_call", {
endpoint: "/v1/trades",
method: "POST",
payload_hash: "sha256:a1b2c3..."
});
// Verify the chain hasn't been tampered with
await verifyChain("agent-47");
How the Chain Works
Each log entry is hashed with HMAC-SHA256 using the previous entry's hash as input:
Entry 1: hash = HMAC(key, entry_1_data + "genesis")
Entry 2: hash = HMAC(key, entry_2_data + entry_1_hash)
Entry 3: hash = HMAC(key, entry_3_data + entry_2_hash)
To verify integrity, you recompute each hash from the stored data. If any entry was modified or deleted, the recomputed hash won't match and the chain breaks at that point. This gives you the exact entry where tampering occurred.
Use Cases
SOC2 compliance — Auditors need proof that your agent logs are complete and unmodified. HMAC chains give you cryptographic proof, not just "trust us."
HIPAA audit trails — Healthcare agents that access patient data need tamper-evident logging. The chain provides non-repudiation.
Incident response — When an agent misbehaves, you need a trustworthy record of exactly what it did and when. No one can quietly edit the logs after the fact.
Transparency reports — Show users exactly what your agent did with their data, backed by verifiable integrity proofs.
Getting Started
The free tier gives you 50 requests/month — enough to prototype and test the chain verification flow. Each entry is stored with its chain hash, and you can verify the full chain at any time with a single API call.
Top comments (0)