Standalone SKU

Chain-Verified Audit Log

Tamper-evident, continuously verified, replayable. HMAC-chained append-only audit log with scheduled per-organization verification and a chain integrity score endpoint. Vendor-neutral, language-agnostic, no AI required.

Last updated: 2026-05-18

Why this exists

We built this so COHESION's own oversight scoring is tamper-evident. It turned out to be good enough that we ship it standalone to any organization with append-only audit log requirements: HIPAA, SOX, ISO 27001, SOC 2, NIST 800-53, PCI DSS, FedRAMP, 21 CFR Part 11.

Three durable properties:

  • Tamper-evident by construction. Every entry is HMAC-chained to the prior entry. One mutation breaks the chain at the mutation point and at every entry after it.
  • Continuously verified. A per-organization cron re-verifies recent entries every 15 minutes. The verifier itself writes audit entries, so the verifier is auditable.
  • Replayable. Given start state plus log, end state is reproducible. The log is a derivation, not a journal.

How it works

Step 1

Write

Caller POSTs an event. The worker computes entry_hash = HMAC(secret, prev_hash || event_payload_canonical) and stores the new entry. By default we store only the SHA-256 of the canonical payload, not the payload itself. Raw payloads stay in your systems.

Step 2

Chain

The next write reads the most recent entry's entry_hash, uses it as prev_hash, and the chain continues. D1 per-org serialization handles concurrency. No replay attacks, no silent rewrites.

Step 3

Verify

A Cloudflare Cron Trigger runs every 15 minutes per organization. It walks the recent chain window, recomputes every entry_hash, and reports mismatches. The chain integrity score is integer in [0, 100]. Anything under 100 indicates at least one broken link.

Pricing

Standalone

$5,000 / year

  • Up to 50M chained entries / year
  • Scheduled chain-verify cron per org
  • Chain integrity score endpoint
  • 90-day default audit log retention
  • SDK (TypeScript + Python) + REST API
  • Negotiated uptime and support terms

Bundled with COHESION

Included at no incremental cost

  • Every COHESION oversight tier includes the audit log
  • Same retention defaults and support path
  • Single contract, single key, single dashboard

Enterprise

Call for pricing

  • Custom retention up to 7 years (HIPAA, SOX defaults)
  • Dedicated HMAC key per environment
  • Quarterly chain-of-custody attestation letter
  • Bring-your-own-KMS option

Integration

Two paths. Pick one.

SDK

import { Client } from "@cohesionauth/sdk";
const client = new Client({ apiKey: env.COHESION_API_KEY });

await client.audit.append({
  event_type: "config_change",
  actor_id: "svc-deploy-bot",
  payload_hash: sha256(JSON.stringify(payload)),
  metadata: { region: "us-west-2", change_id: "CHG-44219" },
});

const status = await client.audit.verifyChain({ window: "last_15m" });
console.log(status.chain_integrity_score, status.verified_rows, status.broken_rows);

REST

curl -X POST https://api.cohesionauth.com/v1/audit/append \
  -H "X-API-Key: $COHESION_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"event_type":"config_change","actor_id":"svc-deploy-bot","payload_hash":"..."}'

curl -X GET "https://api.cohesionauth.com/v1/audit/chain/verify?window=last_15m" \
  -H "X-API-Key: $COHESION_API_KEY"

Compared to general log SIEMs

Datadog, Splunk, and Sumo Logic are excellent at search and observability. They are not designed for chain-of-custody. The Chain-Verified Audit Log is.

CapabilityDatadog / Splunk auditChain-Verified Audit Log
Append-only storageYesYes
Operator can rewrite recent entries before flushPossibleNo (chain breaks)
Continuous chain verificationNoYes (scheduled cron)
Replay from logNoYes
Per-org integrity score endpointNoYes
Bring-your-own-HMAC optionNoEnterprise tier

FAQ

Does this require any AI?

No. The Chain-Verified Audit Log is vendor-neutral and language-agnostic. It is the durable audit-evidence layer that any compliance program can use.

Do you store the payload?

By default we store the SHA-256 hash of the canonical payload, not the payload itself. Raw payloads stay in your systems. Opt-in payload storage is available on Enterprise.

What happens if the chain breaks?

The next verify run reports the break point and every entry after it. The integrity score drops below 100. We alert the operator email on the account immediately. The break itself is permanent and visible; there is no silent recovery.

Can I use my own HMAC key?

Enterprise tier supports a bring-your-own-KMS workflow, including AWS KMS, Azure Key Vault, and GCP KMS.

What is the retention default?

90 days standalone. Up to 7 years on Enterprise (HIPAA and SOX customers commonly select 6 or 7 years).

Get started