Log In Start Monitoring

Authentication

Enterprise-grade uptime monitoring for DevOps

API Keys

Managing API Credentials

StatusPulse uses bearer tokens for REST API access. Keys are scoped to specific environments and rotate automatically after 90 days.

Navigate to Settings > Integrations > API Access to generate a new pair. Each key consists of a public identifier (e.g., sk_live_7f3a9c...) and a secret payload. Store secrets in your CI/CD vault or HashiCorp Vault; they are never displayed after initial creation.

Read-Only Scopes

Use monitoring:read and incidents:read for dashboards and status page syncs. Ideal for third-party tools like PagerDuty or Grafana.

Admin Scopes

Requires monitoring:write, users:admin, and billing:read. Grants full lifecycle control over check configurations, alert routing, and team management.

Generate New Key
OAuth 2.0

Implementing the Authorization Flow

For embedded integrations and partner applications, StatusPulse supports standard OAuth 2.0 with PKCE extension. This ensures secure token exchange without exposing secrets in client-side code.

Register your application in the developer console to obtain a client_id. Configure allowed redirect URIs (e.g., https://app.yourdomain.com/callback) and select the required scopes. The authorization endpoint is https://auth.statuspulse.io/oauth/authorize. After user consent, exchange the authorization code for an access token at the token endpoint. Tokens are valid for 1 hour and can be refreshed using the provided refresh_token.

Step 1: Authorization Request

Redirect users to the authorize endpoint with your client_id, redirect_uri, scope, and a cryptographically random code_challenge.

Step 2: Token Exchange

POST the authorization code and code_verifier to /oauth/token. The response includes access_token, refresh_token, and expires_in.

View Postman Collection
Security Best Practices

Hardening Your Integration

Protect your monitoring infrastructure by enforcing strict access controls, rotating credentials proactively, and leveraging our built-in threat detection.

All API requests are signed using HMAC-SHA256 and validated against your account's IP allowlist. Failed authentication attempts trigger automatic rate limiting after 20 requests per minute. Enable audit logging in Settings > Security > API Activity to track key usage, scope changes, and webhook deliveries across your organization.

Credential Rotation

Set up automated rotation via Terraform or our CLI. New keys remain active for 14 days alongside deprecated keys to prevent downtime during pipeline updates.

Webhook Verification

Validate incoming event signatures using the X-StatusPulse-Signature-256 header. Reject payloads older than 60 seconds to prevent replay attacks.