Authentication
Real-time monitoring for zero-downtime SaaS
Generate and manage your credentials
Every StatusPulse account comes with a dedicated API key that grants programmatic access to your monitoring dashboards, alert configurations, and historical uptime data.
Navigate to Settings > Integrations > API Access in your account dashboard. Click "Generate New Key" and assign a descriptive label like `prod-monitoring-cli` or `ci-pipeline-runner`. Keys are scoped to your organization tier and automatically expire after 365 days unless manually rotated. Store keys in environment variables or a secrets manager like HashiCorp Vault or AWS Secrets Manager—never commit them to version control.
Key Rotation
Rotate credentials quarterly. Generate a replacement key, update your deployment config, and revoke the old key via the dashboard. StatusPulse enforces a 15-minute grace period during which both keys remain valid to prevent deployment outages.
Rate Limits
Standard keys are capped at 1,200 requests per minute. Enterprise accounts using dedicated endpoints (`api-enterprise.statuspulse.io`) receive 5,000 RPM with burst allowance. Exceeding limits returns `429 Too Many Requests` with a `Retry-After` header.
Header Format
Pass your key in the `Authorization` header using Bearer token syntax: `Authorization: Bearer sk_live_8f9a2c1d4e5b67890abcdef123456789`. Test keys prefixed with `sk_test_` work exclusively against the sandbox environment.
Third-party integrations and delegated access
Use OAuth 2.0 to securely connect external services like Slack, PagerDuty, or custom CI/CD pipelines without sharing raw API credentials.
StatusPulse supports the Authorization Code flow with PKCE for public clients and standard confidential client flows for server-side applications. Register your application under Settings > OAuth Apps to receive a `Client ID` and `Client Secret`. Define redirect URIs strictly using HTTPS, and scope permissions to `read:monitors`, `write:alerts`, or `admin:org` based on your integration requirements.
Authorization Endpoint
Direct users to `https://auth.statuspulse.io/oauth/authorize` with your client ID, redirect URI, and requested scopes. After consent, StatusPulse returns a short-lived authorization code valid for 10 minutes.
Token Exchange
Post the authorization code to `https://auth.statuspulse.io/oauth/token` alongside your client secret. The response includes an access token (valid for 1 hour) and a refresh token for long-running background services.
Webhook Callbacks
OAuth-enabled integrations can subscribe to real-time status changes. Configure webhook targets in the OAuth app settings and validate incoming payloads using the `X-StatusPulse-Signature` HMAC-SHA256 header.
Hardening your authentication pipeline
Protect your monitoring infrastructure by following industry-standard security protocols and StatusPulse recommended configurations.
Implement strict IP allowlisting for API endpoints if your team operates from fixed infrastructure. Enable mandatory two-factor authentication (2FA) for all organization members with admin privileges. Audit key usage weekly through the Activity Log, which tracks source IPs, user agents, and endpoint access patterns.
Least Privilege Access
Never grant `admin:org` scope to third-party tools. Assign granular permissions matching the exact endpoints your integration requires. Review and revoke unused scopes quarterly.
Secret Management
Integrate StatusPulse credentials with HashiCorp Vault, Doppler, or AWS Secrets Manager. Rotate secrets automatically using infrastructure-as-code pipelines and enforce TLS 1.2+ for all outbound requests.
Incident Response
If a key is compromised, revoke it immediately via the dashboard or `DELETE /api/v1/keys/{key_id}` endpoint. StatusPulse invalidates compromised tokens within 60 seconds and triggers a security alert to all org owners.