Audit secret usage - Superserve

Because Superserve attaches credentials to outbound requests, every use of a secret is recorded. You get a full trail of what was sent where, with what result — without any cooperation from the code, and without trusting the sandbox.

Requests made with a secret

getAudit() returns the requests authenticated with a secret, across every sandbox that used it, newest first:

const secret = await Secret.get("anthropic-prod")
const events = await secret.getAudit({ limit: 50 })

for (const e of events) {
  console.log(e.ts, e.method, e.host + e.path, "→", e.status)
}

Each event carries the sandbox that made it, the request line, and both the status returned to the sandbox and the upstreamStatus from the real service:

Field	Description
`ts`	When the request was made
`sandboxId` / `sandboxName`	The sandbox that used the secret (`sandboxName` is null if it’s since been deleted)
`method` · `host` · `path`	The request line
`status`	Status returned to the sandbox
`upstreamStatus`	Status from the upstream service
`latencyMs`	Round-trip time
`errorCode`	Set when the request was blocked or failed

Filtering

Narrow to a status class, or page back with the before cursor:

// Only client/server errors.
const errors = await secret.getAudit({ status: "4xx" })

// Page back.
const older = await secret.getAudit({ before: errors.at(-1)!.id })

status accepts "2xx", "3xx", "4xx", "5xx", or "errors" (requests that failed before reaching the service).

Sandboxes using a secret

To see where a secret is bound, getSandboxes() lists the live bindings:

const bindings = await secret.getSandboxes()
for (const b of bindings) {
  console.log(b.sandboxName, "·", b.envKey, "·", b.status)
}

For the full picture of a single sandbox’s traffic — not just secret-bearing requests, but every connection it made — use the network log.

​Requests made with a secret

​Filtering

​Sandboxes using a secret

Requests made with a secret

Filtering

Sandboxes using a secret