Skip to main content

API Authentication

StatiBeat uses a few different authentication patterns depending on who the API is for.

1. Session authentication

The web app uses an authenticated session cookie for browser-based admin and management flows.

This is the right model when:

a user is signed in through the UI
requests are made from the browser
you are not building an external integration

2. Bearer token authentication

Programmatic admin integrations should use an API token in the Authorization header.

Authorization: Bearer <token>

This is the right model for:

CI/CD automation
Terraform and scripted provisioning
operational integrations that create or update incidents

See API Tokens for token scopes and lifecycle guidance.

3. Magic-token authentication

Subscriber, custom-view, RSS-feed, and management-link flows often use a magic token carried in the X-Magic-Token header.

X-Magic-Token: <magic-token>

This is used for flows such as:

managing subscriber preferences
managing custom views
managing RSS feeds
opening a management link without a full signed-in admin session

Choosing the right auth mode

Use session auth for interactive product usage.
Use bearer tokens for supported customer automation.
Use magic tokens for emailed management and delegated-access flows.

Security guidance

Prefer the narrowest API-token scope that works for the integration.
Rotate and expire bearer tokens where possible.
Treat magic tokens as short-lived delegated credentials.
Do not expose bearer or magic tokens in query strings.

1. Session authentication
2. Bearer token authentication
3. Magic-token authentication
Choosing the right auth mode
Security guidance