DevFlow
Start free
Docs/Configuration

Authentication headers: bearer, HMAC, OAuth2, and API keys

Owner Theo Hayashi · Last updated 2026-04-05 · v4.5
authauthenticationheadersbearerhmacoauth2

Authentication headers

DevFlow supports the four common patterns for authenticated API checks.

bearer

yaml
auth:
  type: bearer
  token_secret: PAYMENTS_PROD_TOKEN

The token comes from variables-and-secrets. It's never written into the monitor file.

HMAC

yaml
auth:
  type: hmac
  algorithm: sha256
  key_secret: WEBHOOK_SIGNING_KEY
  key_id: kid-001
  signed_payload: "{{request.method}}\\n{{request.path}}\\n{{request.body}}"
  header_name: X-Signature
  header_format: "v1=${kid_id}.${hex}"

You can use any header name and any format string. The signed_payload template has access to method, path, body, and timestamp (variables-and-secrets).

OAuth2 client-credentials

yaml
auth:
  type: oauth2_client_credentials
  token_url: https://auth.example.com/oauth/token
  client_id_secret: OAUTH_CLIENT_ID
  client_secret_secret: OAUTH_CLIENT_SECRET
  scope: "read:health read:metrics"

We cache tokens for the lifetime declared by the auth server (expires_in) minus a safety margin. No new request to your auth server per check.

API key

yaml
auth:
  type: api_key
  header_name: X-API-Key
  key_secret: BACKOFFICE_API_KEY

rotating

When you rotate a secret, push the new value to the same secret name and the next check will pick it up — there's no monitor reload required. See variables-and-secrets for the rotation flow and audit trail.

Related questions

Was this helpful?
Or ask the docs bot for a follow-up — the floating button bottom-right.