Authentication
PingSLA uses two authentication mechanisms depending on the use case.
Session Authentication (Dashboard)
When you log in to app.pingsla.com, the platform issues a short-lived JWT access token and a httpOnly refresh token via cookie.
- Access token lifetime: 15 minutes
- Refresh token lifetime: 7 days
- Tokens are rotated automatically by the dashboard
You do not need to manage session tokens manually unless you are building a custom integration.
API Key Authentication (Programmatic Access)
For all API requests outside the browser dashboard, use an API key.
Authorization: Bearer psk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
API keys:
- Do not expire unless explicitly revoked
- Scoped to your workspace
- Can be restricted to specific IP ranges (Enterprise plan)
- Are prefixed with
psk_live_(production) orpsk_test_(test mode)
Creating an API Key
See API Keys → for full instructions.
Authentication Errors
| HTTP Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid Authorization header |
403 Forbidden | Valid token, but insufficient permissions for the resource |
429 Too Many Requests | Rate limit exceeded — back off and retry |
Example: Authenticated Request
curl -X GET https://api.pingsla.com/v1/monitors \
-H "Authorization: Bearer psk_live_your_key_here" \
-H "Content-Type: application/json"
Security Best Practices
caution
Never commit API keys to version control. Use environment variables or a secrets manager.
- Rotate keys regularly (especially after team member offboarding)
- Use separate keys per environment (staging vs production)
- Enable IP allowlisting on API keys for automated CI/CD systems
- Audit key usage in Security → Audit Logs