Inspect policy decisions
The Policy Decisions tab on /audit is the deeper layer behind the action log. Where Actions tells you what an agent tried to do, Policy Decisions tells you what the proxy decided about it and why.
Open the tab
/audit → click Policy Decisions tab.
If the project hasn’t accumulated any policy evaluations yet, you’ll see:
“No policy decisions yet. AuthZEN evaluations appear here when agents make requests.”
That’s normal for a brand-new account.
What each row shows
| Column | Meaning |
|---|---|
| Time | When the decision was made |
| Subject | The agent that asked (short ID or SPIFFE) |
| Action | The scope being evaluated |
| Resource | The platform + resource pattern |
| Decision | allow or deny |
| Reason | One of approved / scope_not_granted / agent_suspended / circuit_breaker_open / etc. |
Click a row for the full evaluation metadata, including the policy that matched.
When you actually use this
- An action you expected to be allowed is being denied. Open the Policy tab, filter to the agent, and find the most recent denial. The Reason column tells you which rule fired (e.g.,
scope_not_grantedmeans the agent doesn’t hold that scope;agent_suspendedmeans the circuit breaker tripped). - You suspect circuit breaker false positives. Filter by reason =
circuit_breaker_opento see which agents are hitting the limit and why. - You’re integrating AuthZEN with another system. This log is your reference for what decision strings AgentValet emits — useful when wiring your own evaluator on top.
Difference from the Actions tab
Both tabs share the same audit_log table, but the Actions tab filters to outcomes (what happened to the request) and the Policy tab focuses on the decision metadata (what the proxy decided to do and why). For most operational debugging, the Actions tab is enough — switch to Policy when you need the “why”.