HiveKey

Product

OverviewScopeGuardLogEnforcementPlatform & gatewayIntegrations

Solutions

Security teamsPlatform engineeringCompliance & GRCPII & data protectionAI & ML teamsBy industryUse cases

Developers

DocsHow it worksAPI referenceMCP governanceMCP directory

Resources

BlogLearnGlossaryCompareComplianceTrust center

Company

AboutTeamContact
Pricing Book a demo
Log · provable history

One immutable record of everything every agent did.

Because HiveKey is in the path, each action is recorded as it happens — not reconstructed later from scattered logs. Who, what, when, and which human it traces back to. Streamed to your SIEM, exportable for audits.

Book a demo Read the docs
What the trail guarantees

Not a log file. A system of record.

Three properties make the difference between debugging output and evidence you can stand behind in an audit.

Immutable

Append-only and hash-chained. Records can't be edited or quietly deleted after the fact.

Attributable

Every action ties to a verifiable agent identity and the accountable human who owns it.

Exportable

Stream to your SIEM in real time, or pull a signed export for SOC 2 and incident review.

Audit log stream

Watch the fleet in real time. Click any line for the full record.

audit · all agents

streaming
14:02:11 support-agent · mail_send → customer
allow
14:02:09 billing-bot · payments_pay $40
allow
14:02:04 billing-bot · payments_pay $540
deny · cap
14:01:58 intern-agent · crm_delete_record
deny · guard
14:01:52 ops-agent · deploy staging
allow
14:01:47 support-agent · vault_get reveal
deny · scope
14:01:40 crm-sync · crm_read 240 rows
allow

Event detail

deny · cap
event_id
evt_9f3a2c10
agent
billing-bot
owner
Finance · samir@acme.com
action
payments_pay
amount
$540.00
rule
R2 · daily cap $500
timestamp
2026-06-16 14:02:04Z
hash
sha256:7b1e…a042

Chained to evt_9f3a2c0f · tamper-evident

Illustrative records. Sample identifiers and timestamps.

The record

Every action is one structured, tamper-evident record.

Not a line of text — a structured event captured in the path, hash-chained to the one before it. Here's what's in every record.

  • event_id Unique, immutable id for the action
  • agent · session Which agent, and the session it ran in
  • principal · owner The agent identity and the accountable human behind it
  • tool · args The exact tool called and the full arguments
  • provenance Whether the triggering context came from a trusted or untrusted source
  • seq Position in the agent's call sequence — for multi-step review
  • verdict · reason allow / deny / approve, and the rule that decided it
  • latency_ms Time the in-path decision added
  • hash · prev_hash Hash chain that makes the trail tamper-evident

Provenance is the field most teams skip — and the one that makes prompt-injection enforcement possible. A sensitive call triggered by untrusted content is exactly what you want to catch.

action.event.json deny 
{
  "event_id": "evt_8f21a4c0",
  "ts":       "2026-06-20T14:07:31Z",
  "agent":    "billing-bot",
  "session":  "sess_4a9e",
  "principal":"svc/billing",
  "owner":    "daniel@acme.com",
  "tool":     "payments_pay",
  "args":     { "to": "vendor@x.io", "amount": 540 },
  "provenance": "untrusted · inbound email",
  "seq":      7,
  "verdict":  "deny",
  "reason":   "guard: over daily cap",
  "latency_ms": 9,
  "prev_hash":"a1b2c3d4…",
  "hash":     "e5f6a7b8…"
}

Illustrative event. Field names shown for reference.

Volume

Action volume over 24 hours.

Allowed and denied counts, broken out so spikes and anomalies surface immediately.

9,569

actions logged · last 24h

allowed denied
00:0006:0012:0018:0024:00
Ship it anywhere

Stream to your SIEM. Export for compliance.

Real-time delivery to the tools your security team already lives in — plus signed, point-in-time exports for SOC 2 and incident response.

Destinations

Splunk Datadog Amazon S3 Elastic Sumo Logic Webhook

# live tail to your SIEM

hivekey stream --to splunk \
  --filter "verdict=deny" \
  --format ecs

SOC 2 export

Auditor-ready in one click

Generate a signed, point-in-time export scoped to a date range, agent, or rule. Verifiable hash chain included.

SOC 2 Type II — in progress; controls designed for it from day one.

See how it all enforces in the path — the platform architecture →

Put every agent your company runs under one policy.

Watch HiveKey scope, guard, and block a live action on your own agents — 30 minutes, no slides, no commitment.

Book your 30-min demo Talk to us