We pull users, projects, API keys and audit log from OpenAI's Platform admin API. Get a list of keys unused for >90 days (= leak risk), see who added what, export a monthly signed evidence pack for your auditor.
OpenAI's admin API exposes every key per project with a `last_used_at` timestamp. In practice:
monsys highlights every key unused for >90 days + whose owner has left the org. Plus an audit log of who changed what. For when your auditor asks: 'prove you have no orphan keys'.
platform.openai.com → Settings → Organization → Admin Keys → Create. Not a user-key — an Admin Key has access to /v1/organization/* endpoints. Rotate every 90 days.
Dashboard → OpenAI Audit → '+ Connect org'. We verify via a test call. Admin key AES-256-GCM encrypted.
Worker pulls users + projects + per-project API keys + audit_logs. Snapshots replaced each pull; events append-only deduped.
POST /api/v1/openai/evidence-packs for a period → gzipped tarball with users.jsonl + projects.jsonl + api_keys.jsonl + events.jsonl + signed manifest.
Per-user and per-project billed separately because those are the two cost drivers. Daily snapshot, averaged over the month.
Example: 25 users, 3 active projects → 25 × €1 + 3 × €5 = €40/month.
Monthly via Stripe — separate line item 'monsys.ai OpenAI Audit — N users × €1 + M projects × €5'.