Authentication
How to authenticate with the ReliaPulse API.
Overview
ReliaPulse supports two authentication methods:
- API Keys - For programmatic access
- Session Cookies - For browser-based access
API Key Authentication
Creating an API Key
- Navigate to Settings > API Keys
- Click "New API Key"
- Configure:
- Name: Descriptive identifier
- Permissions: Select specific or all
- Expiration: Optional expiry date
- Click "Create"
- Copy the key immediately - it won't be shown again
Key Format
sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKeys are:
- 43 characters long
- Prefixed with
sk_live_ - Base64URL encoded random bytes
Using API Keys
Include the key in the Authorization header:
curl -X GET https://your-domain.com/api/v1/components \
-H "Authorization: Bearer sk_live_xxxxxxxx"Security
API keys are stored as SHA-256 hashes:
- Original key is never stored
- Cannot be recovered if lost
- Create a new key if compromised
⚠️
Never expose API keys in:
- Client-side code
- Version control
- Public repositories
- Log files
Permissions
Available Permissions
| Permission | Description |
|---|---|
components:read | Read component data |
components:write | Create, update, delete components |
incidents:read | Read incident data |
incidents:write | Create, update incidents |
maintenances:read | Read maintenance data |
maintenances:write | Create, update maintenances |
status-pages:read | Read status page data |
status-pages:write | Modify status pages |
subscribers:read | Read subscriber list |
subscribers:write | Manage subscribers |
integrations:read | Read integrations |
integrations:write | Manage integrations |
sla:read | Read SLA configurations |
sla:write | Manage SLAs |
notifications:read | Read notification channels |
notifications:write | Manage notifications |
oncall:read | Read on-call schedules |
oncall:write | Manage on-call |
config:read | Read configuration |
config:write | Apply configuration |
organization:read | Read org settings |
organization:write | Manage org settings |
audit:read | Read audit logs |
Permission Logic
- Exact match:
components:readgrants read access - Write includes read:
components:writealso grants read - Wildcard: Coming soon
Checking Permissions
If a request lacks required permissions:
{
"error": {
"code": "FORBIDDEN",
"message": "API key lacks required permission: components:write"
}
}Session Authentication
For browser-based applications using the dashboard:
- User logs in via
/auth/login - Session cookie is set
- Cookie is sent with subsequent requests
Session authentication is handled automatically by the browser. No additional headers needed.
Session Endpoints
| Endpoint | Method | Description |
|---|---|---|
/auth/login | POST | Create session |
/auth/logout | POST | End session |
/auth/register | POST | Create account |
Dual Authentication
API routes support both methods:
- Check for
Authorization: Bearerheader - If API key found → validate and use
- If no API key → check session cookie
- Return 401 if neither valid
This allows:
- Programmatic access via API keys
- Dashboard access via sessions
- Same endpoints for both
API Key Management
Listing Keys
curl https://your-domain.com/api/v1/api-keys \
-H "Authorization: Bearer sk_live_xxx"Returns keys with metadata (key value is masked):
{
"data": [
{
"id": "key_123",
"name": "CI/CD Pipeline",
"lastUsedAt": "2026-01-22T10:00:00Z",
"expiresAt": null,
"permissions": ["components:read", "incidents:write"]
}
]
}Creating Keys
curl -X POST https://your-domain.com/api/v1/api-keys \
-H "Authorization: Bearer sk_live_xxx" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Deployment",
"permissions": ["incidents:write", "components:read"],
"expiresAt": "2027-01-01T00:00:00Z"
}'Response includes the full key (only time it's shown):
{
"id": "key_456",
"name": "Production Deployment",
"key": "sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"permissions": ["incidents:write", "components:read"]
}Revoking Keys
curl -X DELETE https://your-domain.com/api/v1/api-keys/{id} \
-H "Authorization: Bearer sk_live_xxx"Revoked keys stop working immediately.
Public Endpoints
Some endpoints require no authentication:
| Endpoint | Description |
|---|---|
GET /api/v1/public/status/{slug} | Public status data |
GET /api/v1/public/status/{slug}/incidents | Public incidents |
GET /api/v1/public/status/{slug}/feed | RSS/Atom feed |
These endpoints:
- Return only published data
- Are rate limited more strictly
- Don't require any headers
Error Responses
401 Unauthorized
No valid authentication provided:
{
"error": {
"code": "UNAUTHORIZED",
"message": "Authentication required"
}
}403 Forbidden
Valid auth but insufficient permissions:
{
"error": {
"code": "FORBIDDEN",
"message": "Insufficient permissions"
}
}Best Practices
- Use minimal permissions - Only grant what's needed
- Rotate keys regularly - Create new keys periodically
- Use expiration dates - Set expiry for temporary access
- Monitor usage - Check
lastUsedAtfor activity - Name descriptively - Know what each key is for
- Revoke unused keys - Clean up old access
Related Documentation
- Settings - Key management UI
- Errors - Error handling
- Rate Limits - Request limits