Audit & Receipts
Every tool execution in Nexla -- whether triggered by an AI agent via MCP or directly through the REST API -- generates an immutable receipt. Receipts provide a tamper-proof audit trail for compliance, debugging, and usage analytics.
What Are Receipts?
Receipts are immutable records created automatically for every tool execution. Each receipt captures the full context of the execution: who invoked the tool, which tool was called, what the outcome was, and how the request was authorized. Receipts cannot be modified or deleted once created, ensuring a tamper-proof audit trail that satisfies compliance and governance requirements.
Receipt Contents
Each receipt includes the following fields:
| Field | Description |
|---|---|
| Receipt ID | Unique identifier (UUID) for the receipt |
| Principal | Who executed the tool -- a user, agent, or service identity |
| Tool | Which tool was executed, identified by tool ID and tool key |
| Version | Semantic version of the tool at execution time (e.g., 1.0.0) |
| Result Status | ok (success) or error (failure) |
| Policy Decision | allow, deny, allow_with_redactions, or allow_with_limits |
| Actor Type | human, agent, or service |
| Auth Type | How the caller authenticated: api_key, oauth, oidc_jwt, or mtls |
| Args Hash | SHA-256 hash of the input arguments |
| Row Count | Number of rows returned (for data results) |
| Truncated | Whether the result was truncated |
| Trace ID | Distributed tracing identifier for debugging across services |
| Timestamp | When the execution occurred |
Viewing Receipts
To view receipts, navigate to the AI tab in the Nexla Platform and select Audit & Receipts. The default view shows recent executions across all tools, ordered by timestamp (most recent first). Each row in the table displays the receipt ID, tool name, principal, result status, policy decision, and timestamp.
Filtering Receipts
Use the filter panel to narrow results and find specific executions:
- Search -- Enter a receipt ID, tool name, or principal to search across all receipt fields.
- Result Status -- Toggle between
ok(successful) anderror(failed) executions. - Policy Decision -- Filter by
allow,deny,allow_with_redactions, orallow_with_limits. - Date Range -- Set explicit from/to dates, or use the Last 7 days quick toggle to see recent activity.
- Tool -- Filter by a specific tool ID to see all executions for a single tool.
Combine filters to quickly isolate specific executions. For example, filter by error status and a specific tool to debug failures, or filter by deny policy decision to identify blocked requests.
Receipt Details
Click any receipt in the table to open the detail drawer. The detail view includes:
- Input arguments -- The full set of arguments passed to the tool (hashed via SHA-256 for security).
- Execution result -- The complete result returned by the tool, including any data or error messages.
- Policy evaluation -- Details of the policy decision, including which policy was applied and any redactions or limits enforced.
- Timing information -- Execution duration and timestamps for request and response.
- Trace ID -- The distributed tracing identifier, which you can use to correlate this execution with logs in external observability systems.
Exporting Receipt Data
Export filtered receipts as JSON for external analysis, compliance reporting, or integration with monitoring systems. After applying your desired filters, click Export as JSON to download the matching receipts. The exported file includes the full receipt details for each matching execution.
The export respects your current filters. Make sure the filter panel reflects the data you want before exporting.
Use Cases
Compliance and Governance
Receipts provide auditable proof of every tool execution. Use them to demonstrate who accessed what data, when the access occurred, and whether the access was policy-compliant. The combination of principal identity, policy decision, and authentication type gives compliance teams the detail they need for regulatory reporting and access reviews.
Debugging
When a tool execution fails, the receipt captures the full error context. Use the trace ID to follow the execution across distributed services, review the input arguments to identify malformed requests, and check the policy decision to determine whether the failure was caused by an authorization issue or an upstream data problem.
Usage Analytics
Track tool usage patterns over time by filtering and exporting receipt data. Identify your most frequently used tools, monitor error rates across tools or principals, and detect unusual access patterns. Export receipt data to your analytics platform for dashboards and alerting.
API Access
You can query receipts programmatically using the REST API. The GET /v1/receipts endpoint supports the same filters available in the UI, including receipt_id, principal, from/to datetime, tool_id, result_status, and policy_decision.
See the Receipts API for full endpoint documentation, request parameters, and response schemas.