Authentication - API Keys & OAuth
Real-time infrastructure monitoring for DevOps
Generate & Manage API Keys
Create scoped credentials directly from your StatusPulse dashboard to automate uptime checks, incident routing, and metric exports.
Navigate to Settings > Integrations
Log in to your workspace at app.statuspulse.io. Click your organization avatar in the top-right corner, then select "API Credentials" from the dropdown. You will see a list of existing keys for environments like staging, production, and read-only analytics.
Define Scope & Permissions
Use the permission matrix to grant granular access. For PagerDuty sync, enable `incidents:write` and `routes:read`. For Datadog metric forwarding, select `metrics:export` and `checks:read`. Keys are hashed with bcrypt and never stored in plaintext.
Copy & Rotate Safely
Click "Generate New Key" to receive a 64-character base64 token prefixed with `sp_live_` or `sp_test_`. Store it in your CI/CD secrets manager immediately. Use the "Rotate" button to invalidate the previous version while maintaining active webhook endpoints.
OAuth2 Flow for Third-Party Integrations
Connect StatusPulse with Slack, GitHub, and Linear using our standard Authorization Code flow with PKCE support.
Register Your Application
Visit the Developer Portal at developers.statuspulse.io/apps. Provide a callback URL like `https://hooks.yourcompany.com/auth/statuspulse/callback`. The system will issue a Client ID and a 256-bit Client Secret. Enable "State Parameter Validation" to prevent CSRF attacks.
Execute the Authorization Request
Redirect users to `https://auth.statuspulse.io/oauth/authorize?client_id=YOUR_ID&redirect_uri=YOUR_URI&response_type=code&scope=monitoring:read,alerts:write`. After consent, StatusPulse returns a short-lived authorization code valid for 300 seconds.
Exchange Code for Tokens
POST the code to `/oauth/token` with your client credentials. You will receive a JSON payload containing an `access_token` (2-hour lifespan) and a `refresh_token`. Use the refresh endpoint to maintain uninterrupted incident stream connections without re-prompting users.
Key Security & Compliance Best Practices
Protect your monitoring infrastructure with enterprise-grade authentication standards and automated lifecycle management.
Enforce IP Allowlisting
Restrict API key usage to specific CIDR ranges. In the dashboard, navigate to "Security Controls" and add your Jenkins server subnet `10.42.0.0/16` or Vercel deployment IPs. Requests originating from unlisted addresses are rejected with HTTP 403 before reaching the auth layer.
Automate Rotation & Expiry
Set maximum key lifespans of 90 days for production environments. Enable the "Auto-Rotate" toggle to generate successor keys 7 days before expiration. Webhook notifications are sent to your `#devops-security` Slack channel when credentials approach end-of-life.
Audit Trail & Anomaly Detection
Every API call and OAuth token exchange is logged with request fingerprints, user-agent strings, and geolocation data. StatusPulse triggers SOC2-compliant alerts if a key executes more than 5,000 requests per minute or accesses endpoints outside its declared scope.