diff --git a/src/content/docs/dev/admin/technical/audit-logging.mdx b/src/content/docs/dev/admin/technical/audit-logging.mdx
new file mode 100644
index 0000000..7c7345c
--- /dev/null
+++ b/src/content/docs/dev/admin/technical/audit-logging.mdx
@@ -0,0 +1,60 @@
+---
+title: "Audit Logging"
+---
+
+Ricochet writes an audit log for security-related and administrative operations.
+Each entry is appended as a single JSON line to `RICOCHET_HOME/logs/audit/audit.log`.
+
+## Audited operations
+
+| Action                        | Event              | Details                                         |
+| ----------------------------- | ------------------ | ----------------------------------------------- |
+| User role change              | `user.role_change` | Old role, new role, actor, target user          |
+| First admin bootstrap         | `user.first_admin` | User promoted to admin as first registered user |
+| Execution environment created | `exec_env.create`  | Environment name, actor                         |
+| Execution environment updated | `exec_env.update`  | Environment name, changes, actor                |
+| Execution environment deleted | `exec_env.delete`  | Environment name, actor                         |
+| Content access granted        | `access.grant`     | Content ID, target user, role                   |
+| Content access revoked        | `access.revoke`    | Content ID, target user, role                   |
+
+## Log format
+
+Each line is a JSON object with the following fields:
+
+```json
+{
+  "timestamp": "2026-02-23T14:30:00+01:00",
+  "action": "user.role_change",
+  "actor": "<user_id>",
+  "target": "<target_user_id>",
+  "details": { "old_role": "consumer", "new_role": "developer" },
+  "success": true
+}
+```
+
+| Field       | Description                                                 |
+| ----------- | ----------------------------------------------------------- |
+| `timestamp` | ISO 8601 timestamp with timezone                            |
+| `action`    | The operation that was performed                            |
+| `actor`     | The user or system component that initiated the action      |
+| `target`    | The resource or user the action was performed on (optional) |
+| `details`   | Additional context as a JSON object (optional)              |
+| `success`   | Whether the operation succeeded                             |
+| `error`     | Error message when `success` is `false` (optional)          |
+
+## Log rotation
+
+Audit logs are rotated daily.
+When rotation occurs, the previous day's log is compressed with gzip and renamed to `audit-YYYY-MM-DD.log.gz`.
+Archived logs are never automatically deleted.
+
+## File location
+
+```
+RICOCHET_HOME/
+└── logs/
+    └── audit/
+        ├── audit.log              # current day
+        ├── audit-2026-02-22.log.gz
+        └── audit-2026-02-21.log.gz
+```