StackPulse can store credentials for authenticated checks. Treat those credentials as production secrets.
Encryption at rest
Sensitive check headers are encrypted at rest before storage.
The API uses the configured secret encryption key to decrypt credentials only when running the checks you configured.
Masking after save
Secrets are masked after saving.
StackPulse does not show saved secret values again in the UI. If you need to change a secret, replace it with a new value.
How secrets are used
Stored check secrets are used only to run configured checks.
They are not intended for display, reporting, exports, or general integration access.
Credential guidance
Use the smallest credential that can prove the service is healthy.
- Use scoped keys.
- Use read-only keys.
- Use monitoring-specific keys.
- Avoid personal passwords.
- Avoid unrestricted admin credentials.
- Avoid service role keys unless there is no safer alternative.
Removing stored check secrets
Delete the check to remove the stored check secrets associated with it.
If a key may have been exposed elsewhere, rotate it at the provider as well. Removing it from StackPulse does not revoke it from the original provider.
A dedicated health endpoint is often safer than giving an external monitor broad API credentials.