Authentication
The Statly API uses API keys for authentication. All requests must include a valid API key.
Getting an API Key
- Log in to your Statly Dashboard (opens in a new tab)
- Go to Settings → API Keys
- Click Create API Key
- Give it a name (e.g., "CI/CD", "Terraform")
- Copy the key immediately—it won't be shown again
⚠️
API keys are hashed before storage. If you lose a key, you'll need to create a new one.
Using Your API Key
Include the key in the Authorization header with the Bearer scheme:
curl -X GET "https://statly.live/api/v1/monitors" \
-H "Authorization: Bearer sk_live_your_api_key_here"Key Format
API keys follow this format:
sk_live_<64-character-hex-string>Example:
sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6Scopes
API keys can have different permission scopes:
| Scope | Description |
|---|---|
* | Full access to all endpoints |
monitors:read | Read monitor data |
monitors:write | Create, update, delete monitors |
incidents:read | Read incident data |
incidents:write | Create, update, delete incidents |
When creating a key, select the minimum scopes needed for your use case.
Plan-Based Access
API access level depends on your plan:
| Plan | API Access |
|---|---|
| Free | Read-only (monitors:read, incidents:read) |
| Hobby | Full access |
| Pro | Full access |
| Enterprise | Full access + dedicated support |
Security Best Practices
Environment Variables
Never hardcode API keys. Use environment variables:
// Node.js
const apiKey = process.env.STATLY_API_KEY;
fetch('https://statly.live/api/v1/monitors', {
headers: { 'Authorization': `Bearer ${apiKey}` }
});Rotate Keys Regularly
Create new keys and revoke old ones periodically:
- Create a new key with the same scopes
- Update your applications to use the new key
- Verify everything works
- Delete the old key
Limit Scopes
Give each key only the permissions it needs:
- CI/CD for creating incidents:
incidents:write - Dashboard integration:
monitors:read,incidents:read - Full automation:
*
Revoking Keys
To revoke an API key:
- Go to Settings → API Keys
- Find the key in the list
- Click Delete
- Confirm deletion
The key is immediately invalidated. Any requests using it will receive a 401 Unauthorized response.
Troubleshooting
401 Unauthorized
{
"error": "invalid_api_key",
"message": "API key not found or invalid"
}Solutions:
- Verify the key is correct (no extra spaces)
- Check the key hasn't been deleted
- Ensure you're using
Bearerscheme - Confirm the key belongs to your organization
403 Forbidden
{
"error": "forbidden",
"message": "Insufficient permissions: 'monitors:write' scope required"
}Solutions:
- Check your API key has the required scope
- Upgrade your plan if using Free tier
- Create a new key with additional scopes