Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Health Checks and Monitoring

Health Endpoint

Vouch exposes a health check endpoint:

GET /health

Response:

{"status": "healthy"}

This endpoint:

  • Returns HTTP 200 when the server is operational
  • Is accessible over HTTP (port 80) even when TLS is configured, for load balancer health checks
  • Does not require authentication

Monitoring Endpoints

EndpointMethodAuth RequiredDescription
/healthGETNoServer health status
/.well-known/openid-configurationGETNoOIDC discovery (verifies OIDC provider is functional)
/.well-known/oauth-protected-resourceGETNoOAuth 2.0 Protected Resource Metadata (RFC 9728)
/v1/credentials/ssh/caGETNoSSH CA public key (verifies SSH CA is loaded)

Log Format

Vouch uses structured logging via tracing. Set the log level with the RUST_LOG environment variable:

# Production (warnings and errors only)
RUST_LOG=warn

# Standard operation
RUST_LOG=info

# Debugging
RUST_LOG=debug

# Component-specific logging
RUST_LOG=vouch_server=debug,tower_http=info

Audit Events

Authentication, credential issuance, and administrative events are written to the audit_events table and browsable at /admin/audit. Emails are masked to domain-only, with an HMAC column for correlation.

Authentication and key lifecycle

Event TypeDescription
login_successUser authenticated — FIDO2 passkey login, or a returning user signing in on the website via the upstream IdP (the latter has no authenticator_id)
login_failedFailed authentication attempt
enrollmentUser enrolled their first hardware key
logoutUser logged out (including RFC 7009 token revocation)
key_registeredAdditional hardware key registered (vouch register)
key_removedHardware key removed
device_auth_approvedBrowser approved a CLI device-authorization request
key_registration_replayReplayed key-registration link rejected (possible attack)

Credential issuance

Event TypeDescription
ssh_credentialSSH certificate issued; data includes the serial, principals, requesting agent, and expiry
aws_credentialAWS OIDC token issued; data includes the pinned IAM role_arn (the https://aws.amazon.com/roles claim), the requesting agent, and token expiry
github_credentialGitHub installation token issued or installation connected; data includes repositories and permissions
token_exchangeRFC 8693 token exchange (workload identity federation); data includes the client, audience, scope, and issued token type

OAuth clients

Event TypeDescription
oauth_token_issuedToken issued at /oauth/token (data.details carries the grant type)
oauth_token_revokedAll tokens for an application revoked
oauth_client_registeredOAuth client registered (RFC 7591 or applications UI)
oauth_client_updatedOAuth client configuration updated
oauth_client_deletedOAuth client deleted
oauth_secret_addedClient secret added
oauth_secret_revokedClient secret revoked

Administration and organization

Event TypeDescription
admin_promote / admin_demoteOrg-admin role granted / removed
admin_activate / admin_deactivateUser account reactivated / deactivated
admin_revoke_credentialsAdmin revoked a member’s keys, sessions, and certificates
admin_remove_userAdmin removed a member from the organization
admin_policy_create / admin_policy_update / admin_policy_delete / admin_policy_togglePosture policy changes
admin_create_scim_token / admin_delete_scim_token / admin_revoke_scim_tokenSCIM token lifecycle
scim_operationSCIM provisioning operation (data carries operation and resource type)
org_domain_added / org_domain_verified / org_domain_removed / org_domain_expired / org_domain_unverifiedAdditional-domain lifecycle
org_subdomain_claimed / org_subdomain_releasedIssuer subdomain lifecycle
org_issuer_key_rotatedPer-org issuer signing keys rotated (one event per algorithm)
org_issuer_key_revokedPer-org previous signing keys revoked (one event per algorithm)
org_issuer_key_emergency_rotationEmergency rotation of per-org issuer keys (one event per algorithm)

Retention

Configure retention periods for audit events:

# Auth events (login, enrollment, logout, key/device-auth lifecycle)
# — default 90 days
VOUCH_AUTH_EVENTS_RETENTION_DAYS=730

# OAuth usage and credential-issuance events (oauth_*, aws_credential,
# github_credential, ssh_credential, token_exchange) — default 90 days
VOUCH_OAUTH_EVENTS_RETENTION_DAYS=90

Events older than the retention period are cleaned up automatically by the background cleanup task (controlled by VOUCH_CLEANUP_INTERVAL).

Alerting Recommendations

ConditionAlert LevelDescription
/health returns non-200CriticalServer is unhealthy
Multiple failed login attemptsWarningPossible brute force
SSH CA key not loadedWarningSSH certificates won’t be issued
Database approaching capacityWarningSQLite file growth or PostgreSQL storage
Session cleanup failingWarningCheck cleanup interval and retention settings