Authentication

SystemPulse enforces strict access controls to protect your cluster telemetry and alert routing. Follow this guide to provision API keys, configure OAuth 2.0 for third-party dashboards, and validate incoming webhook payloads.

API Keys

Access the SystemPulse REST API using bearer tokens scoped to your organization ID. Keys follow the sp_live__ format and enforce a default rate limit of 600 requests per minute. Navigate to /settings/developers/api-keys to provision new credentials. Each key supports granular scopes such as telemetry:read, incidents:write, and users:admin.

OAuth

Integrate external monitoring tools like Datadog or Grafana using the OAuth 2.0 authorization code flow. Register your application in the SystemPulse developer console to obtain a client_id and confidential client_secret. Configure permitted redirect URIs with strict path matching to prevent open redirect vulnerabilities.

Access tokens expire after 120 minutes and refresh tokens remain valid for 30 days. Implement PKCE (Proof Key for Code Exchange) for public clients. Request the minimum required scopes during the authorization request to adhere to the principle of least privilege.

Webhook Signatures

Verify the authenticity of event notifications sent to your endpoints. SystemPulse signs every webhook payload using HMAC-SHA256 with your registered webhook secret (whsec_live_...). The signature is transmitted in the X-SystemPulse-Signature header alongside a Unix timestamp in X-SystemPulse-Timestamp.

Reconstruct the signed string by concatenating the timestamp and raw JSON body. Reject payloads older than 300 seconds to mitigate replay attacks. Use your framework's cryptographic library to compare the computed digest against the header value using a constant-time equality check.