Full Audit Trail

Your agent failed at 3am. The customer reports they got a wrong response. Your boss asks "what did the agent do?" Can you answer?

With most agent setups, the answer is "we added some print statements and we're investigating." With Hexel Tool Gateway, you open the audit log and see everything in 30 seconds.

What's logged for every execution:

• **Input hash**: cryptographic hash of the exact input sent
• **Output hash**: cryptographic hash of the response received
• **Credential used**: which connected account and auth config
• **Trace context**: OpenTelemetry trace_id and span_id for distributed tracing
• **Timing**: request_started_at, response_received_at, total_duration_ms
• **Status**: success, failure, timeout, rate_limited, circuit_open
• **Dedup**: whether this was a fresh call or a cached/deduped response

Evidence Bundles

For compliance-sensitive environments, the gateway produces cryptographic evidence bundles — you can prove exactly what was sent and received, with cryptographic integrity.

Workspace-Scoped Isolation

Audit logs are scoped by workspace. Team A can't see Team B's execution history. Each workspace gets its own retention policy.

Querying

Filter by: tool_slug, agent_id, time_range, status, credential_id, trace_id. Find any execution in seconds.

Before: Custom logging per integration. No standardization. No input/output proof. Debugging takes hours of log-diving.

After: Structured, searchable, cryptographically verifiable audit of every single tool call your agents ever made.