Activity Log —
know who accessed what and when

Every create, update, and delete on vault items is logged with the item name (decrypted client-side for display), item type, vault it belongs to, and the full change context. For credential updates, the timestamp shows exactly when a password was last rotated — critical for compliance policies.

When a vault item is opened and when a sensitive field (password, API secret, CVV) is copied to clipboard — both are logged. Most audit systems only log writes. Vault logs reads and copies too, because knowing who accessed a credential is as important as knowing who changed it.

Vault shared with a new member, member removed from vault, vault owner transferred — all sharing events are logged. See the exact timestamp when a team member was granted access and when that access was revoked. Important for tracking who had access during any given time window.

Every vault unlock — successful and failed — is logged with timestamp, IP address, and device fingerprint. Multiple failed unlock attempts on the same vault are highlighted as a potential security concern. Track when a team member accessed a shared vault and from what location.

Every log entry includes a precise UTC timestamp with millisecond resolution. All times are displayed in your local timezone with the UTC offset shown. Timestamps are server-generated and cannot be manipulated by the client, ensuring an accurate record of when events occurred.

The name and email of the user who performed the action. For shared vaults, this identifies exactly which team member accessed or modified an item — even if multiple people have access to the same vault. Former team members retain their identity in historical log entries.

The IP address of the request is logged and reverse-geocoded to an approximate city and country. Unusual access patterns — a login from a country no team member works in, an IP address associated with a known VPN or Tor exit node — are visually flagged in the log view.

Browser name, version, and operating system are captured from the User-Agent header. Device fingerprinting helps distinguish between legitimate access from your regular browser and suspicious access from an unrecognized device — even from the same IP address.

Filter the activity log by vault (which vault was accessed), user (who performed the action), action type (view, copy, create, update, delete, share), and date range. Combine filters — "show all copy events on the Production API Keys vault in the last 30 days" — to answer specific security questions.

View the complete history of a specific vault item — all accesses, modifications, and sharing events for that one credential or document, in chronological order. Useful when investigating: "has anyone accessed the database password since the breach notification?"

Export filtered log data as CSV for inclusion in security audits, SOC 2 reports, ISO 27001 documentation, and incident response reports. The export preserves all fields including UTC timestamps and IP addresses in machine-readable format.