PingSled Developer Hub

API Authentication

Secure access to your uptime monitoring endpoints using API keys and OAuth 2.0. Real-time availability monitoring requires strict credential management.

API Keys & Access Tokens

Every PingSled workspace generates a unique secret key and a public read-only token. Use the secret key (`psled_sk_...`) to create, modify, or delete check configurations, and the public token (`psled_pk_...`) for dashboard widgets and status page embeds.

Key Rotation & Scoping

Rotate credentials every 90 days without interrupting active checks. Assign granular scopes like `checks:read`, `incidents:write`, or `webhooks:manage` to limit blast radius during accidental leaks.

Rate Limits & Quotas

Authenticated requests are capped at 1,200 calls per minute per key. Exceeding thresholds returns `429 Too Many Requests` with a `Retry-After` header. Bulk endpoint operations use server-side pagination to preserve quota.

OAuth 2.0 Integration

For third-party applications and team collaboration tools, PingSled supports the OAuth 2.0 authorization code flow with PKCE. Connect Slack, PagerDuty, or custom CI/CD pipelines without sharing workspace secrets.

Authorization Endpoints

Initiate flows via `https://api.pingsled.com/oauth/authorize`. Redirect URIs must be pre-registered in your developer console. Access tokens expire in 3600 seconds and refresh tokens remain valid for 30 days.

Token Validation & Introspection

Verify bearer tokens against `https://api.pingsled.com/oauth/introspect`. Responses include `active`, `scope`, `client_id`, and `exp` claims. Invalid or expired tokens return `401 Unauthorized` with a `WWW-Authenticate` challenge.

Security Best Practices

Protecting your monitoring infrastructure starts with disciplined credential handling. Follow these operational guidelines to maintain zero-trust compliance across your PingSled deployments.

Environment Variable Isolation

Never hardcode `PSLED_API_KEY` in repositories. Inject secrets via CI/CD runtime variables or Kubernetes `Secret` objects. Rotate keys immediately if configuration files are accidentally committed to version control.

TLS Enforcement & IP Allowlisting

All API endpoints require TLS 1.2+. Restrict inbound traffic to known CI runners or load balancer IPs using workspace-level allowlists. PingSled rejects requests with `X-Forwarded-For` mismatches.

Audit Trails & Anomaly Detection

Every authenticated request logs `user_id`, `ip_address`, `user_agent`, and `endpoint`. Enable webhook alerts for unrecognized locations or sudden spikes in `DELETE /checks` calls. Export raw audit CSVs monthly.