Skip to main content

API Keys

All API requests require authentication using an API key. Include your key in the X-API-Key header: 
curl "https://kodostatus.com/api/v1/incidents" \
  -H "X-API-Key: your_api_key_here"

Getting Your API Key

  1. Log in to your Dashboard
  2. Navigate to Settings > API
  3. Click Generate API Key
  4. Copy and securely store your key
API keys grant full access to your organization. Keep them secret and never commit them to version control.

Scoped API Keys

For fine-grained access control, create scoped API keys with specific permissions. This is recommended for CI/CD pipelines, integrations, and service accounts.
  1. Go to Settings > API Keys in your dashboard
  2. Click Create Key
  3. Name your key and select the required scopes
  4. Optionally set an expiry date
  5. Copy the key immediately — it won’t be shown again

Available Scopes

ScopeDescription
*:*Full access (default)
incidents:readList and view incidents
incidents:writeCreate, update, delete incidents
services:readList and view services
services:writeCreate, update, delete services
status_pages:readList and view status pages
status_pages:writeManage status pages and designs
monitors:readView uptime, SSL, and domain monitors
monitors:writeManage monitors
maintenance:readView maintenance windows
maintenance:writeManage maintenance windows
notifications:readView notification channels and webhooks
notifications:writeManage channels and webhooks
config:readRead organization configuration
config:writeUpdate configuration
heartbeat:writeSend heartbeat pings
metrics:writePush metrics data
workflows:writeTrigger workflows
audit_log:readRead the audit log

Scope Enforcement

When a scoped key attempts an action it doesn’t have permission for, the API returns: 
{
  "error": "Insufficient scope: incidents:write required"
}
Legacy API keys (from Settings > API) retain full *:* access for backwards compatibility.

Environment Variables

We recommend storing your API key in environment variables: 
# .env
KODO_API_KEY="your_api_key_here"

Rate Limits

EndpointLimit
Standard endpoints1,000 requests/minute
Heartbeat endpoint10,000 requests/minute
Beacon endpointNo limit
Rate limit headers are included in all responses: 
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1704844800

Endpoints Outside /api/v1

Some endpoints live at /api/ instead of /api/v1/ and use their own authentication:
  • POST /api/heartbeat/:monitorId - Send heartbeat pings (API key in header)
  • GET /api/heartbeat/:monitorId - Check heartbeat status (API key in header)
  • POST /api/beacon - Report client-side events (beacon public key in body)
  • POST /api/metrics/ingest - Push metrics (API key in header)
All of these endpoints require authentication via the X-API-Key header or Authorization: Bearer header, except the beacon endpoint which uses a beacon public key (bpk_...) in the request body.