Standalone SKU
Chain-Verified Audit Log
Tamper-evident, continuously verified, replayable. HMAC-chained append-only audit log with scheduled per-organization verification and a chain integrity score endpoint. Vendor-neutral, language-agnostic, no AI required.
Why this exists
We built this so COHESION's own oversight scoring is tamper-evident. It turned out to be good enough that we ship it standalone to any organization with append-only audit log requirements: HIPAA, SOX, ISO 27001, SOC 2, NIST 800-53, PCI DSS, FedRAMP, 21 CFR Part 11.
Three durable properties:
- Tamper-evident by construction. Every entry is HMAC-chained to the prior entry. One mutation breaks the chain at the mutation point and at every entry after it.
- Continuously verified. A per-organization cron re-verifies recent entries every 15 minutes. The verifier itself writes audit entries, so the verifier is auditable.
- Replayable. Given start state plus log, end state is reproducible. The log is a derivation, not a journal.
How it works
Step 1
Write
Caller POSTs an event. The worker computes
entry_hash = HMAC(secret, prev_hash || event_payload_canonical)
and stores the new entry. By default we store only the SHA-256 of the canonical payload,
not the payload itself. Raw payloads stay in your systems.
Step 2
Chain
The next write reads the most recent entry's entry_hash, uses it as
prev_hash, and the chain continues. D1 per-org serialization handles concurrency.
No replay attacks, no silent rewrites.
Step 3
Verify
A Cloudflare Cron Trigger runs every 15 minutes per organization. It walks the recent
chain window, recomputes every entry_hash, and reports mismatches. The
chain integrity score is integer in [0, 100]. Anything under 100 indicates at least
one broken link.
Pricing
Standalone
$5,000 / year
- Up to 50M chained entries / year
- Scheduled chain-verify cron per org
- Chain integrity score endpoint
- 90-day default audit log retention
- SDK (TypeScript + Python) + REST API
- Negotiated uptime and support terms
Bundled with COHESION
Included at no incremental cost
- Every COHESION oversight tier includes the audit log
- Same retention defaults and support path
- Single contract, single key, single dashboard
Enterprise
Call for pricing
- Custom retention up to 7 years (HIPAA, SOX defaults)
- Dedicated HMAC key per environment
- Quarterly chain-of-custody attestation letter
- Bring-your-own-KMS option
Integration
Two paths. Pick one.
SDK
import { Client } from "@cohesionauth/sdk";
const client = new Client({ apiKey: env.COHESION_API_KEY });
await client.audit.append({
event_type: "config_change",
actor_id: "svc-deploy-bot",
payload_hash: sha256(JSON.stringify(payload)),
metadata: { region: "us-west-2", change_id: "CHG-44219" },
});
const status = await client.audit.verifyChain({ window: "last_15m" });
console.log(status.chain_integrity_score, status.verified_rows, status.broken_rows); REST
curl -X POST https://api.cohesionauth.com/v1/audit/append \
-H "X-API-Key: $COHESION_API_KEY" \
-H "Content-Type: application/json" \
-d '{"event_type":"config_change","actor_id":"svc-deploy-bot","payload_hash":"..."}'
curl -X GET "https://api.cohesionauth.com/v1/audit/chain/verify?window=last_15m" \
-H "X-API-Key: $COHESION_API_KEY" Compared to general log SIEMs
Datadog, Splunk, and Sumo Logic are excellent at search and observability. They are not designed for chain-of-custody. The Chain-Verified Audit Log is.
| Capability | Datadog / Splunk audit | Chain-Verified Audit Log |
|---|---|---|
| Append-only storage | Yes | Yes |
| Operator can rewrite recent entries before flush | Possible | No (chain breaks) |
| Continuous chain verification | No | Yes (scheduled cron) |
| Replay from log | No | Yes |
| Per-org integrity score endpoint | No | Yes |
| Bring-your-own-HMAC option | No | Enterprise tier |
FAQ
Does this require any AI?
No. The Chain-Verified Audit Log is vendor-neutral and language-agnostic. It is the durable audit-evidence layer that any compliance program can use.
Do you store the payload?
By default we store the SHA-256 hash of the canonical payload, not the payload itself. Raw payloads stay in your systems. Opt-in payload storage is available on Enterprise.
What happens if the chain breaks?
The next verify run reports the break point and every entry after it. The integrity score drops below 100. We alert the operator email on the account immediately. The break itself is permanent and visible; there is no silent recovery.
Can I use my own HMAC key?
Enterprise tier supports a bring-your-own-KMS workflow, including AWS KMS, Azure Key Vault, and GCP KMS.
What is the retention default?
90 days standalone. Up to 7 years on Enterprise (HIPAA and SOX customers commonly select 6 or 7 years).
Get started
- Read the full spec on GitHub.
- Read the Methodology Annex for the security posture.
- Try the live API in under five minutes.
- Contact peyton@cohesionauth.com for Enterprise tier or BYOK conversations.