Skip to main content

Authentication

PingSLA uses two authentication mechanisms depending on the use case.

Session Authentication (Dashboard)

When you log in to app.pingsla.com, the platform issues a short-lived JWT access token and a httpOnly refresh token via cookie.

  • Access token lifetime: 15 minutes
  • Refresh token lifetime: 7 days
  • Tokens are rotated automatically by the dashboard

You do not need to manage session tokens manually unless you are building a custom integration.

API Key Authentication (Programmatic Access)

For all API requests outside the browser dashboard, use an API key.

Authorization: Bearer psk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

API keys:

  • Do not expire unless explicitly revoked
  • Scoped to your workspace
  • Can be restricted to specific IP ranges (Enterprise plan)
  • Are prefixed with psk_live_ (production) or psk_test_ (test mode)

Creating an API Key

See API Keys → for full instructions.

Authentication Errors

HTTP StatusMeaning
401 UnauthorizedMissing or invalid Authorization header
403 ForbiddenValid token, but insufficient permissions for the resource
429 Too Many RequestsRate limit exceeded — back off and retry

Example: Authenticated Request

curl -X GET https://api.pingsla.com/v1/monitors \
-H "Authorization: Bearer psk_live_your_key_here" \
-H "Content-Type: application/json"

Security Best Practices

caution

Never commit API keys to version control. Use environment variables or a secrets manager.

  • Rotate keys regularly (especially after team member offboarding)
  • Use separate keys per environment (staging vs production)
  • Enable IP allowlisting on API keys for automated CI/CD systems
  • Audit key usage in Security → Audit Logs