Bearer tokens that authenticate programmatic callers against /api/v1/*. Scoped, revocable, and shown to you exactly once at creation time.
Each key carries a list of scopes. A handler that needs to mutate monitors requires monitors:write; a read-only dashboard token only needs monitors:read. Grant the smallest set that does the job — keys with * have full access and shouldn't be used outside of trusted backend code.
We store the SHA-256 hash of the full key, not the key itself. Lose it and you must create a new one. The 8-character prefix is stored plain so the dashboard can show "mon_live_abc12345…" for identification without revealing the secret.
Keys are prefixed mon_live_ so they are greppable on GitHub. Anthropic-style. If a key leaks to a public repo, secret-scanning partners notify us and we revoke automatically.
# Authorize subsequent calls with the bearer header
curl https://monitorah.com/api/v1/monitors \
-H "Authorization: Bearer mon_live_…"