A rejection is data. Until recently we were throwing it away.
If an attacker submitted a forged signature against the public verify endpoint, we returned 404 signature_not_found and that was the entire footprint. Same for a cross-org access attempt on the replay endpoint, an agent that got suspended mid-run trying to sign once more, or a probe walking through random sig_* ids.
An older trust-data-infrastructure project we read during a cold audit is explicit about this: log every invocation including the invalid ones, "para auditoria futura". It is the right call. We borrowed it.
What landed
One new table, rejected_attempts. Indexed on (organization_id, created_at) and (agent_id, created_at) for fast org-scoped time-window scans.
A logging helper that captures IP, User-Agent, and X-Request-ID, truncates user-supplied bytes, commits its own row, and swallows persistence failures so logging cannot become a 5xx.
Wired at the verify endpoint (signature and approval not-found branches), the signature lookup and replay endpoints (not-found and cross-org branches), and the sign and countersign paths.
How operators query it
GET /api/v1/observability/rejected-attempts, scoped to your organization, available on every plan including Free. Filters: failure_reason, agent_id, time window, pagination.
What to do with the data
- Probe alerting. N rejections from one IP in M minutes is a probe.
- Suspended-agent retries. A revoked or decommissioned agent that keeps trying is misconfigured or compromised.
- Cross-org access attempts. A bearer token from one org hitting a signature_id from another org is the kind of thing you find out about months later. Now you find out the same hour.
Top comments (0)