StatusPulse
Sign in Start free

Authentication - API Keys & OAuth

Real-time infrastructure monitoring for DevOps

Sidebar Navigation

Documentation Index

API Key Management

Scoped credential generation, rotation schedules, and environment injection patterns.

OAuth 2.0 Integration

Authorization Code Grant with PKCE, token lifecycle, and workspace delegation.

Security Best Practices

Least-privilege scoping, secret rotation automation, and audit log monitoring.

API Keys

Generate & Rotate Credentials

StatusPulse enforces strict API key policies to protect your monitoring infrastructure. Each key is bound to a specific workspace and supports granular permission scoping.

Create a Scoped Key

Navigate to Settings > Security > API Access. Click "Generate New Key", assign a name like "nightly-sync-job", and restrict permissions to `checks:read` or `metrics:write`. Avoid using `admin:full` unless absolutely necessary.

Rotate Without Downtime

Keys expire automatically after 90 days. Use the "Create Replacement" action to issue a fresh key while keeping the legacy credential active. Update your CI/CD environment variables, verify connectivity, then revoke the old key from the dashboard.

Secure Storage Requirements

Never hardcode keys in repositories or config files. Inject them via `STATUSPULSE_API_KEY` environment variables or integrate with HashiCorp Vault, AWS Secrets Manager, or GitHub Actions encrypted secrets.

Open Key Manager View cURL Examples
OAuth 2.0 Flow

Team Integrations & Delegated Access

OAuth 2.0 enables secure, user-controlled access for third-party dashboards, Slack bots, and custom reporting pipelines. StatusPulse supports the Authorization Code Grant with PKCE for modern applications.

Authorization Request

Redirect users to `https://auth.statuspulse.io/oauth/authorize` with your `client_id`, `redirect_uri`, and requested scopes (e.g., `dashboard:read`, `alerts:manage`). Always include a cryptographic `code_challenge` and `code_challenge_method=S256`.

Token Exchange & Refresh

Exchange the returned authorization code for an access token and refresh token via the `/oauth/token` endpoint. Access tokens expire in 1 hour; use the refresh token to maintain sessions silently without prompting users.

Revoke & Audit

Monitor active sessions in Settings > OAuth Applications. Revoke tokens immediately when developers leave your team or when integrations are decommissioned. All token issuances and revocations are logged in the audit trail.

Register New Application Download OpenAPI Spec