Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt

Use this file to discover all available pages before exploring further.

When you contact Truthlocks support and troubleshooting requires access to your tenant, support staff use impersonation sessions — time-limited, scope-restricted sessions that are fully recorded in your audit log.

How it works

1

Support creates a session

A support staff member creates an impersonation session specifying your tenant, the required permission scopes, a TTL, and a reason for access. Sessions can optionally be scoped to a specific organization within your tenant.
2

Session is time-limited

Every session has a configurable time-to-live (TTL) between 1 and 60 minutes (defaults to 15 minutes). When the TTL expires, access is revoked immediately — no manual action required.
3

Actions are recorded

Every HTTP request the support staff member makes during the session is recorded in a dedicated access log with the method, path, status code, and request ID. These events also appear in your tenant’s audit log.

Session properties

PropertyDescription
TenantThe tenant the session grants access to.
Organization(optional) A specific organization within the tenant. When set, access is restricted to that organization’s data only.
ScopesThe permissions granted for the session. Defaults to read_only if none are specified.
TTLTime-to-live in minutes (1–60, defaults to 15).
ReasonA human-readable explanation of why the session was created (minimum 10 characters).
StatusACTIVE (in use), EXPIRED (TTL reached), or REVOKED (manually ended).
IP addressThe IP address of the support staff member who created the session.
User-AgentThe browser or client used by support staff.
Issued atWhen the session was created.
Expires atWhen the session automatically expires, based on the TTL.

Session lifecycle

  • Active — the session is in use and the support staff member has access to the granted scopes.
  • Expired — the TTL has been reached and access is automatically revoked.
  • Revoked — a platform administrator ended the session early. The administrator’s identity and an optional revocation reason are recorded.

Reviewing support activity

Audit log

All support session activity appears in your tenant’s audit log. Filter by the support_session event category to see exactly what was accessed and when. 
curl "https://api.truthlocks.com/v1/audit?category=support_session" \
  -H "X-API-Key: tl_live_..."
Each audit event includes the session ID, the staff member’s identity, the action performed, and a timestamp.

Per-session access logs

You can also retrieve a detailed access log for a specific session. Each entry records the HTTP method, request path, response status code, and a unique request ID. 
curl "https://api.truthlocks.com/v1/platform/support/sessions/{session_id}/access-logs" \
  -H "X-API-Key: tl_live_..."

[
  {
    "method": "GET",
    "path": "/v1/attestations",
    "status_code": 200,
    "request_id": "req_abc123",
    "timestamp": "2026-03-26T14:30:00Z"
  }
]

Security guarantees

Scoped access

Sessions are restricted to specific permission scopes and, optionally, a single organization. Support cannot access resources outside the granted scopes.

Time-limited

Every session expires automatically based on its TTL (1–60 minutes). There are no permanent support access grants.

Full audit trail

Every HTTP request is recorded in the session’s access log with the staff member’s IP address and User-Agent.

Revocable

Active sessions can be revoked at any time by a platform administrator, with an optional reason.

Audit logs

View and export your tenant’s audit events.

RBAC

Understand roles and permission scopes.