Observe

Tool Call Logs

Every tool call your agent makes, captured with full context.

Every tool call that runs through Agent Handler - successful, failed, redacted, blocked - is captured with full context in the Logs dashboard. This is the artifact you’ll use to debug the agent, audit who did what, and answer the questions your security team will ask once a customer files a support ticket.

This page covers Tool Call Logs - individual tool executions made by the agent. For HTTP requests your backend makes against the Agent Handler API, see API Request Logs.

What’s captured

For each tool call, the log row includes:

  • Tool name - namespaced as <Connector>__<tool>, like slack__post_message.
  • Registered User - whose credentials ran the call, with a link to their detail page.
  • Tool Pack - which pack the call came through.
  • Status - success, error, or blocked-by-rule.
  • Latency - total time from receipt to response.
  • Arguments - exactly what the agent passed in, post-redaction.
  • Result - exactly what was returned, post-redaction.
  • Redactions - every Security Gateway match on the call, with the rule that fired.
  • Errors - for failed calls, the error class and message from the Connector.
  • Custom headers - any X- headers your client sent on the request, useful for tracing.
  • Timestamp - when the call started.

Everything is searchable. The full row is exportable.

Filtering

The filter bar covers the dimensions you’ll reach for:

  • Registered User. Find every call a specific end user made. Type to search by origin_user_id or name.
  • Tool name. Narrow to a single tool, or to all tools from one Connector by selecting the prefix.
  • Tool Pack. Useful when you have more than one pack and want to scope debugging.
  • Status. Successful calls only, errors only, blocked-by-rule only.
  • Date range. Last 15 minutes, last hour, last 24 hours, or a custom window.
  • Custom header values. If you set X-Mcp-Session-Id or any other X- header on the MCP request, you can filter by it. This is how you correlate a session in your own UI with the underlying tool calls.

Filters compose. “All slack__post_message calls for user_a3f9b2 in the last hour with status error” is one combined query.

Drilling into a single call

Click any row to open the full call detail. You see:

  • The full arguments JSON.
  • The full result JSON.
  • The redaction trail - every entity matched, which rule, which fields were affected.
  • The Connector’s request to the third party (URL, method, headers; body redacted) and the third party’s raw response (also redacted).
  • A latency breakdown across auth, security gateway, Connector dispatch, and third-party round-trip.

For a failed call, you also get the error class (auth_error, not_found, rate_limit_exceeded, connector_error) and the message returned upstream.

Debugging a failure

The flow for “the agent’s tool call didn’t do what I expected”:

  1. Find the call. Filter to the Registered User and the tool, narrow by time. The call should be there within seconds of the agent running.
  2. Check status. If it’s a success but the result was wrong, the issue is upstream - the third party returned what it returned. If it’s an error, read the error class.
  3. Read the arguments. Did the model pass what you expected? If not, the fix is usually a Tool Description Override or a Tool Input Override to constrain what the model can produce.
  4. Read the redaction trail. If a field is missing from the result, a rule probably redacted it. The redaction trail tells you which rule. Adjust the rule, scope it to a different Tool Pack, or accept the redaction.
  5. Check the Connector request. For auth_error, the user’s stored credentials are bad - re-run Link or Magic Link for that Connector. For not_found, the resource doesn’t exist or the user doesn’t have access. For rate_limit_exceeded, you (or your customer) have hit the third party’s quota.

Retention and export

Tool Call Logs are retained for 90 days on standard plans, longer on enterprise. Beyond retention, individual calls aren’t queryable through the dashboard; subscribe to the tool_call and tool_call_error webhooks to forward events to your own warehouse if you need a longer history.

Bulk export is available from the dashboard for any filtered view. CSV with one row per call.

If you’ve passed origin_company_id on your Registered Users, the Company’s detail page has a pre-filtered tool-call view - useful for “show me everything Acme did this week.” For investigation flows starting from a security alert, see Violations and alerts.

Next

Debug your backend’s calls to the Agent Handler API with API Request Logs.