Focused Tool · BSL 1.1 · Single Binary

Verifiable audit trail. Tamper-evident by design.

SHA-256 hash-chained event log. Any modification breaks the chain. One API call verifies the entire ledger. Export evidence packs for SOC2, HIPAA, and GDPR compliance reviews.

Install Brand Free Pro — $4.99/mo Docs GitHub

Quickstart

Running in under 60 seconds.

Install

curl -fsSL https://stockyard.dev/brand/install.sh | sh

Run

BRAND_ADMIN_KEY=secret brand

  Ingest:  POST http://localhost:8750/api/events
  Verify:  GET  http://localhost:8750/api/verify
  Export:  GET  http://localhost:8750/api/evidence/export

Append events and verify the chain

# Append from any service — no SDK required
curl -s -X POST http://localhost:8750/api/events \
  -H 'Content-Type: application/json' \
  -d '{"type":"user_login","actor":"alice","detail":{"ip":"1.2.3.4"}}'

# Verify the entire chain in one call
curl -s http://localhost:8750/api/verify -H 'Authorization: Bearer secret'
# → {"valid":true,"checked":42,"message":"chain intact — 42 entries verified"}

# Export an evidence pack for a date range
curl -s "http://localhost:8750/api/evidence/export?from=2026-01-01" \
  -H 'Authorization: Bearer secret' > evidence-q1.json

See it

Brand appends events to a SHA-256 hash chain. One call verifies the entire ledger. The dashboard shows the live event feed, chain health, policy templates, and evidence export.

Use cases

Three things developers use this for.

SOC2 and HIPAA audit evidence

Auditor asks for evidence of who accessed what and when. Export a Brand evidence pack — a self-contained JSON bundle with the event log and cryptographic chain proof.

Tamper-evident application logs

Standard DB logs can be modified without detection. Brand's hash chain means any deleted or altered record breaks verification immediately, with an exact pointer to where.

EU AI Act compliance logging

Apply the eu_ai_act policy template and Brand tracks all AI inference calls, automated decisions, and human overrides — the records the regulation requires.

Why this exists

Most audit entries tools fall into two camps: free products that harvest your data, or enterprise platforms that cost more than the problem they solve. Brand exists because neither option makes sense when you just need a reliable audit trail and compliance log under your own control.

How it works

Deploy Brand as a systemd service, a Docker container, or a bare process. It reads PORT and DATA_DIR. The /api/health endpoint returns status for monitoring.

In practice

Every API call, config change, and access event gets a hash-chained, tamper-evident log entry. When compliance asks "who changed what and when," you point them at Brand's audit ledger instead of digging through application logs.

Pricing

Free to run. Pro when you need more.

Free

forever, self-hosted

Best for: solo devs and small apps

10,000 events / month
7-day retention
Hash-chained event log (SHA-256)
Basic chain verification
Single workspace
JSON event export
Basic evidence pack export

Get started →

Pro

$4.99

per month

Best for: teams with compliance requirements

Unlimited events (fair use)
90-day retention
Multiple workspaces
Scheduled evidence pack export
Advanced verification bundle
Policy templates (SOC2, HIPAA, GDPR, EU AI Act)
Filtered exports by actor, type, date
Chain health checks and status endpoint
Tamper detection status in exports
Signed evidence bundle metadata

Scope

When Brand is the right tool.

Brand is for applications that need a compliance audit trail — SOC2, HIPAA, GDPR, or EU AI Act. Free covers 10,000 events/month and 7-day retention. Pro ($4.99/mo) unlocks unlimited events, 90-day retention, policy templates, and signed evidence bundles.

The broader picture

When you need the full LLM control plane.

Learn about Stockyard →

After you upgrade

How Pro gets activated.

When your payment goes through, you'll receive an email at the address you used at checkout. The email contains your license key — a string that starts with stockyard_.

Set it as an environment variable before starting Brand:

BRAND_LICENSE_KEY=stockyard_your_key_here brand

  License:   Pro (your-email@example.com)
  Dashboard: http://localhost:8750/ui

That's it. Pro features unlock immediately on startup — no restart required after the first run, no account to log into, no phone-home check. The key is verified locally.

Didn't get the email?
Check your spam folder first. If it's not there after 5 minutes, email hello@stockyard.dev with your payment confirmation and we'll send the key manually.

FAQ

How does the hash chain work?

Each event records the SHA-256 hash of the previous event. Verification re-computes every hash from scratch and checks that the chain is unbroken. Any modification invalidates all subsequent hashes.

Can I POST events from any language?

Yes. The ingest endpoint is plain HTTP POST with JSON. No SDK required. Works from curl, Python, Node, Go, or anything that makes HTTP requests.

What happens when I hit the free event limit?

Brand logs a warning but does not drop events on self-hosted instances. The limit is enforced on the managed service tier. Upgrade to Pro to remove the cap.

What compliance frameworks does Brand cover?

Built-in policy templates for SOC2 Type II, HIPAA Audit Controls, GDPR Article 30, and EU AI Act. Apply them in one API call.

What's the license?

BSL 1.1. Free for small teams. Commercial license for organizations over 10 members. Contact hello@stockyard.dev.

Get started

Start building a tamper-evident audit trail.

One POST to ingest. One GET to verify. Free to start.

Install Brand Free Upgrade to Pro

Part of Stockyard Complete — all 150 tools for $29/mo