Authentication - API Keys & OAuth
Real-time monitoring for zero downtime
Secure Access for Automated Monitoring
StatusPulse enforces strict authentication protocols to protect your infrastructure telemetry. Whether you're integrating uptime checks into CI/CD pipelines or provisioning read-only dashboards for cross-team visibility, our authentication layer ensures granular control over who accesses your monitoring data.
We support long-lived API keys for server-to-server automation and OAuth 2.0 for enterprise SSO workflows. All credentials are hashed using Argon2id, rotated automatically after 365 days, and scoped to specific resource groups like `read:checks`, `write:alerts`, or `admin:billing`.
API Key Management
Server-to-Server Automation
Generate scoped API keys directly from your workspace settings. Each key is bound to a specific environment and can be restricted to individual check groups or alert routing rules.
1. Create & Scope
Navigate to Settings > Integrations > API Keys. Select your target workspace, assign scopes like `read:metrics` or `write:checks`, and generate a 64-character base64 key. Keys are prefixed with `sp_live_` for production and `sp_test_` for sandbox environments.
2. Rotate & Revoke
Enforce automatic rotation every 90 days via the dashboard or trigger immediate revocation through the `POST /v1/api-keys/revoke` endpoint. Revoked keys remain in a 30-day quarantine window for audit logging before permanent deletion.
3. Validate Headers
Pass credentials securely using the `Authorization: Bearer
OAuth 2.0 for Enterprise SSO
Delegated Access & Identity Federation
Integrate StatusPulse with your existing identity provider using standard OAuth 2.0 authorization code flow with PKCE. This enables seamless single sign-on for engineering teams while maintaining strict separation between monitoring data and user credentials.
Supported Identity Providers
Native connectors for Okta, Azure AD, and OneLogin. Custom OIDC discovery endpoints are supported for PingIdentity and Auth0. All providers must enforce MFA and support SAML 2.0 fallback for legacy enterprise directories.
Scope Negotiation
Request granular permissions during the authorization handshake. Available scopes include `openid`, `profile`, `email`, `statuspulse:checks:read`, and `statuspulse:alerts:manage`. Admins can restrict scope issuance via conditional access policies.
Token Lifecycle
Access tokens expire after 15 minutes and refresh tokens after 24 hours. StatusPulse validates tokens via JWKS endpoint rotation every 6 hours. Revoked sessions are invalidated across all active browser tabs within 30 seconds.
Security Best Practices
Protect your monitoring infrastructure by following industry-standard credential handling and least-privilege access patterns.
Enforce Least Privilege
Never grant `admin:all` scopes to automation runners. Instead, create dedicated service accounts with `read:checks` and `write:alerts` permissions. Use workspace-level role bindings to restrict access to specific environment clusters.
Secure Secret Storage
Store API keys and client secrets in encrypted vaults like HashiCorp Vault or AWS Secrets Manager. Rotate credentials automatically using Terraform providers or Ansible vaults. Never commit keys to version control or expose them in client-side JavaScript bundles.
Monitor Authentication Events
Enable audit logging for all credential generation, scope changes, and failed authentication attempts. Forward logs to your SIEM via webhook or CloudWatch. Set up alerts for anomalous patterns like rapid key rotation or cross-region OAuth token exchanges.