
Updated July 2026
GIFQ — the payout API and gift card API that delivers rewards across 90+ countries from a 5,000+ brand catalog — now records an attributable audit trail across 24 core models, plus first-class security events: who changed what, when, and from where.
If your platform sends money, top-ups, or gift cards to thousands of end users — players, creators, sellers, survey respondents — your compliance and finance teams eventually ask the same three questions:
Until now, answering those questions with most reward vendors meant emailing support and hoping. As of this release, on GIFQ the answer is a queryable log entry.
Audit logging covers 24 core models across payouts, orders, products, companies, balances, API tokens, and user and recipient records. Every covered change produces an audit record with:
Actor context on every write. Each record identifies who or what triggered it — a named admin user, a specific API token, an authenticated recipient, a background job, or an explicit anonymous marker for pre-authentication recipient look-ups. Even unauthenticated attempts leave a trail.
Source IP for HTTP-triggered actions. Requests that come in over the API or dashboard carry the originating IP address on the audit record.
Field-level before/after values. Changes to audited records store a readable diff of what the values were and what they became — not just "something changed."
Security-event logging. Sensitive operations are logged as first-class events with actor attribution: one-time passcodes sent and verified, invalid OTP attempts, and every reveal of a delivery secret (such as a gift card code).
Automated catalog syncs are audited too. Every product update pulled from our six upstream gift-card providers is attributed to the specific background worker that made the change, with a full field-level diff. Unchanged products produce zero log rows — the trail stays signal-only instead of drowning in sync noise.
Sensitive data stays out of the logs. Tokens, claim codes, delivery secrets, and banking-sensitive fields are excluded from the recorded diffs by design. The audit trail proves the action happened without duplicating the secret it protects.
Audit trails are the difference between a reward vendor and payout infrastructure. Three situations where this shows up in practice:
Vendor due diligence. When your security or procurement team reviews GIFQ, "are admin and API actions attributable?" now has a concrete answer — actor, timestamp, IP, and field-level diff across 24 core models — rather than a paragraph of reassurance.
Dispute resolution. A recipient claims a code was never revealed; a finance team asks why a balance moved. Secret-reveal events and balance change history give both sides a shared, timestamped record instead of competing recollections.
Internal investigations. If something looks wrong — a product edited mid-campaign, a payout canceled unexpectedly — the log answers "who, when, from where" in minutes. This is the boring infrastructure that gaming, fintech, and crypto platforms are actually buying when they choose a payout provider.
On the roadmap: customer-facing audit export. In the meantime, GIFQ staff can pull audit evidence for enterprise incidents on request.
GIFQ is operated by Gift Quest OÜ, a registered Estonian company subject to GDPR and EU consumer protection law. Audit logging extends that posture from policy into product: platform actions carry actor context, security-relevant events are recorded, and sensitive values are redacted from logs by default.
Combined with webhook-based delivery confirmation and a sandbox environment for integration testing, the audit trail closes the loop for teams that need to treat rewards and payouts as auditable money movement — not a marketing tool bolted onto a spreadsheet.
Ready to look under the hood? Test the API in the GIFQ sandbox or talk to sales about enterprise requirements.
Sign up for latest GIFQ updates, partner news, and practical use cases.



Whether you’re paying people out or giving them rewards worth staying for, GIFQ is the layer that handles it, under your brand and without the integration headache. Create an account and send a test payout in a few minutes, or talk it through with one of us directly.