Authentication
How to authenticate your requests with API keys and OAuth 2.0
Introduction
Every request to the StatusBewaker API must include valid credentials. We support two authentication methods: API keys for server-to-server integrations and OAuth 2.0 for applications that act on behalf of end users.
API keys are tied to your organisation and give full access to the resources your team owns. They are ideal for dashboards, CI/CD pipelines, and internal monitoring tools. OAuth 2.0 is designed for third-party applications and enterprise integrations where users grant scoped, revocable access without sharing their credentials. All tokens are issued from https://api.statusbewaker.nl and expire according to the method you choose.
Authentication methods
Server-to-server
API Keys
Generate keys from your dashboard under Settings → API Access. Each key has a 40-character prefix sb_live_ or sb_test_ followed by a unique identifier. Send the key in the Authorization: Bearer <key> header on every request. Keys do not expire unless you rotate them manually. You can create up to 5 active keys per workspace.
User-delegated access
OAuth 2.0
Use the authorisation code flow with PKCE for public clients. Register your application at https://dashboard.statusbewaker.nl/apps to receive a client ID and secret. The authorisation endpoint is https://auth.statusbewaker.nl/oauth/authorize and the token endpoint is https://auth.statusbewaker.nl/oauth/token. Access tokens are valid for 1 hour; refresh tokens last 90 days and can be rotated silently.
Scoped permissions
Fine-grained access
Both methods support scopes. API keys can be limited to checks:read, incidents:write, or webhooks:manage. OAuth tokens inherit the scopes requested during the consent screen. Review active scopes in the API Access panel — you can revoke individual permissions without invalidating the entire key.
Security best practices
Treat your API keys like passwords. A leaked key gives an attacker the same access to your monitoring data as your own applications.
Never commit keys to source control
Store keys in environment variables or a secrets manager such as HashiCorp Vault or AWS Secrets Manager. If you use GitHub Actions, reference keys through encrypted repository secrets instead of hard-coding them in workflow files.
Rotate keys on a schedule
Rotate API keys at least every 90 days. Generate a new key, update your services, then revoke the old one. StatusBewaker keeps a 30-day grace window during which both keys remain valid, so you can roll out changes without downtime.
Use test keys in development
Keys prefixed with sb_test_ point to a sandbox environment with synthetic check data. They cannot access production monitors or trigger real incident notifications. Always use test keys in staging environments and CI pipelines.
Restrict OAuth redirects
When registering an OAuth application, whitelist only the exact redirect URIs your application uses. StatusBewaker rejects authorisation responses sent to unregistered URLs. Include the state parameter to prevent CSRF attacks and validate it server-side before exchanging the code for a token.
If you suspect a key has been compromised, revoke it immediately from the dashboard and check the audit log for unauthorised activity. Enable email alerts under Settings → Notifications to receive instant alerts whenever a new key is created or an existing one is rotated.