Audit and Compliance

Use Zerq audit and request logs together: audit explains config intent, request logs prove runtime enforcement.

What to retain

• Publish events for collections, proxies, and profiles.
• Auth method and policy changes with actor identity.
• Credential create/rotate/revoke events.
• Runtime request samples for control verification.

Control verification examples

• Authentication control: denied request returns 401.
• Authorization control: denied request returns 403.
• Method governance: blocked method returns 405.
• Abuse control: quota enforcement returns 429.

Practical audit query workflow

1. Pull all config changes in the incident or review window.
2. Map each change to affected routes/profiles.
3. Validate that runtime statuses match expected control behavior.
4. Archive evidence package with request IDs and audit records.

curl -i "https://gateway.example.com/v1/compliance-probe" \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Client-ID: audit-checker" \
  -H "X-Profile-ID: prod-audit"

Related docs

• Access Control Overview
• Credentials Overview
• Audit Logs