API Authentication

Real-time uptime monitoring for everyone

Authentication Guide

API Keys & Scope Management

Generate and rotate secure API keys directly from your SitePulse dashboard. Each key supports granular scopes like monitor.read, alert.write, and billing.admin to enforce least-privilege access across your engineering teams.

Key Generation

Navigate to Settings > API Access and click Create New Key. Assign a descriptive label like Production-Dashboard and select the required scopes before saving. Keys are hashed at rest using AES-256 and never logged in plain text.

Scope Rotation

Revoke compromised keys instantly without disrupting other integrations. SitePulse supports automatic key rotation policies with 30-day expiration warnings and immutable audit logs for every scope modification.

Rate Limiting

API keys are automatically bound to tier-specific rate limits. Enterprise plans include 12,000 requests per minute with burst capacity, while Community tiers cap at 500 requests per minute to protect global probe health.

Integration Protocol

OAuth 2.0 for Third-Party Integrations

Enable seamless, token-based authentication for partner applications and custom dashboards. SitePulse implements the OAuth 2.0 Authorization Code Flow with PKCE to secure public clients and server-side integrations alike.

Client Registration

Register your application at api.sitepulse.com/oauth/register. Provide your redirect URIs, application name, and security contact. You will receive a client_id and a cryptographically secure client_secret.

Token Exchange

Exchange authorization codes for short-lived access tokens valid for 3600 seconds. Refresh tokens persist for 90 days and automatically rotate upon each successful validation request to limit exposure windows.

Consent Scoping

Users explicitly grant permissions during the authorization step. Request only the scopes your integration requires to minimize security exposure and maintain compliance with SOC 2 Type II standards.

Security Standards

Security Best Practices

Protect your monitoring infrastructure by following industry-standard authentication protocols. SitePulse enforces strict validation rules to prevent credential leakage and unauthorized access attempts.

Header Transmission

Always pass API keys in the Authorization header using the Bearer scheme. Never embed credentials in URL query parameters, as they may be logged in reverse proxy access logs or browser history.

Environment Variables

Store secrets in encrypted environment variables or dedicated vaults like HashiCorp Vault or AWS Secrets Manager. Never commit credentials to version control repositories or public CI/CD pipelines.

Webhook Validation

Verify the X-SitePulse-Signature header on all incoming alert webhooks using your registered HMAC-SHA256 secret. Reject payloads that fail signature verification to prevent spoofed status updates.