Go AuditAPI Call Logging
Capture every outgoing or third-party API request with header and body redaction, smart truncation, and automatic correlation to the surrounding business transaction.
Why log API calls?
Prove what data left your service and when. Build evidence for SOC2, ISO 27001, and PCI audits.
Replay third-party calls verbatim. See exactly which payload caused that flaky integration to fail.
Track per-vendor latency and request volume. Spot expensive endpoints before the bill arrives.
Record an API call
Wrap your HTTP client and forward each request to the auditor. The recorder captures method, URL, status, durations, and bodies — redacting and truncating as configured.
err := auditor.API().Record(ctx, audit.APICall{
Method: "POST",
URL: "https://api.stripe.com/v1/charges",
StatusCode: 200,
RequestBody: bodyBytes,
ResponseBody: respBytes,
DurationMS: 142,
})
Header & body redaction
Configure a list of header names and JSON paths to redact before persistence. Sensitive values are replaced with a fixed marker so audit logs stay safe to share with auditors and engineers alike.
{
"authorization": "Bearer sk_live_abc123...",
"user": {
"email": "alice@example.com",
"ssn": "123-45-6789"
}
}{
"authorization": "[REDACTED]",
"user": {
"email": "alice@example.com",
"ssn": "[REDACTED]"
}
}Size truncation
Bodies above your configured limit are truncated and tagged so you can audit large payloads without bloating storage. Tune the cap to match your retention budget.
audit.Config{
MaxBodyBytes: 64 * 1024,
}__truncated: true flag so you can detect them downstream.Cross-concern correlation
Every audit event written inside a transaction shares the same txn_id. Replay the full sequence — DB writes, API calls, more DB writes — when reconstructing what a single business operation actually did.