Tokens & Audit FAQ

#What is a signed decision receipt?

A signed decision receipt is a single-use, HMAC-signed proof of what oakallow decided about a tool call.

Every permission check on an approved tool returns a receipt inline, in the same call — for every verdict, not just allowed. There is no separate step: the check that resolves the decision also signs it. The signature binds the verdict and the exact request (tool, tenant, resource, method, parameters), and the receipt carries a nonce that can only be used once, preventing replay.

A receipt is cryptographic evidence that

oakallow evaluated this exact request and what it decided (allowed, requires_approval, or disabled)
The specific tool and parameters were bound to the decision
The receipt was not reused from a previous call

A disabled receipt is just as real as an allowed one: it is the proof oakallow blocked the action.

(The standalone /v1/tokens/mint endpoint still exists for integrations built before inline signing, but it is no longer required — the permission check signs every decision on its own.)

#How does audit logging work?

oakallow logs every significant action

Permission checks record the tool, tenant, resource, method, and the resolved permission with the level it resolved from
Approval requests record creation, decisions (approve/deny), and expiration
Execution logs record the tool name, parameters, result (success/failed/error), duration, and the run token used

All logs include timestamps and are queryable through the dashboard Activity page and the API. Logs are scoped to your developer account.

#What operations are billable?

Billable operations (charged at $0.005 per call with a Standard key)

Permission checks
Parameter validation
Token minting
Execution logging
Approval workflow actions

Free operations (Management key)

Creating and managing organizations, tenants, resources, and methods
Registering and updating tools
Defining permission rules
Querying activity logs
All dashboard operations