Tokens & Audit FAQ

#What are execution tokens?

An execution token is a single-use, HMAC-signed proof that a tool execution was authorized.

After confirming a tool is allowed (via permission check or approval), your system calls the token minting endpoint. The token contains a nonce that can only be used once, preventing replay attacks.

Tokens provide cryptographic evidence that

The permission was checked before execution
The specific tool and parameters were authorized
The token was not reused from a previous execution

#How does audit logging work?

oakallow logs every significant action

Permission checks record the tool, tenant, resource, method, and the resolved permission with the level it resolved from
Approval requests record creation, decisions (approve/deny), and expiration
Execution logs record the tool name, parameters, result (success/failed/error), duration, and the run token used

All logs include timestamps and are queryable through the dashboard Activity page and the API. Logs are scoped to your developer account.

#What operations are billable?

Billable operations (charged at $0.005 per call with a Standard key)

Permission checks
Parameter validation
Token minting
Execution logging
Approval workflow actions

Free operations (Management key)

Creating and managing organizations, tenants, resources, and methods
Registering and updating tools
Defining permission rules
Querying activity logs
All dashboard operations