Skip to main content
Every operation on a document is automatically logged with who performed it, when, and how. The audit trail is visible in the dashboard’s Document Editor and persists for the lifetime of the document.

What Gets Logged

EventDescription
uploadedDocument uploaded to the dashboard
generatedPDF rendered via API (POST /v1/render/:slug)
redactedSensitive content redacted
mergedMultiple PDFs combined
certifiedDigital signature applied
downloadedDocument downloaded from the dashboard
deletedDocument removed

Who Gets Logged

  • Dashboard users: The user’s email address (from Clerk authentication)
  • API key users: The API key name (e.g., “Production Key”) — not the key itself
This distinction makes it easy to trace actions to specific users or integrations.

Viewing the Audit Trail

Open any document in the Document Editor and expand the History panel. Events are shown in reverse chronological order with:
  • Event type (with icon)
  • Actor (user email or “API - Key Name”)
  • Timestamp

Durability

Audit events are tied to the document record and survive:
  • Document re-renders
  • Metadata updates
  • Status changes (draft → sent → paid)
Events are only removed when the document itself is permanently deleted (after the retention period expires).

Use Cases

  • HIPAA compliance: Demonstrate who accessed or modified patient documents
  • Legal discovery: Prove chain of custody for certified documents
  • Internal audit: Track which API key or team member generated specific documents
  • Incident response: Identify when and how a document was modified