Help & guidesAPI & integrations › Generate API token

Generate API token

2 min read · API & integrations

An API token is your personal key for programmatic access to ePulz.io. It comes in handy when you want to reach the service from scripts, your own tools or a CI/CD pipeline. Through the API you can create and edit monitors, download availability data or feed measurement results into your own systems. This guide shows where to generate a token, what it looks like, where to store it safely and how to revoke it.

API token management - epulzio_ prefix and last use
API token management: name, epulzio_ prefix and the time of last use.

Where to generate a token

Tokens are tied to a specific user - every team member has their own tokens with their own permissions.

  • In the dashboard open the API tokens section (path /dashboard/api-tokens).
  • Click + New token.
  • Enter a descriptive name that helps you recognise the token (for example CI/CD pipeline or Internal dashboard).
  • The token stays valid until you revoke it - it has no fixed expiry date.
  • After clicking Create the full token value is shown. Copy it right away - for security reasons you will not see it again.

What the token looks like

Every token starts with the prefix epulzio_ and has more than 40 characters in total. Example (shortened):

epulzio_2bF7nQ9k4Lm8XzR0pT3vYw5sH1cJ6dE...

The prefix lets you instantly recognise the token among other strings - for example when searching through logs or scanning repositories for a leaked key.

How to use the token

The token is sent in the Authorization HTTP header in the form:

Authorization: Bearer epulzio_xxxxxxxxxxxxxxxx

Example call from the terminal:

curl -H "Authorization: Bearer epulzio_..." https://epulz.io/api/v1/monitors

Where to store the token safely

Treat the token like a password. Never put it in publicly accessible code, documentation or chat messages.

  • Locally during development: in an environment variable, for example EPULZIO_TOKEN in a .env file (which is in .gitignore).
  • In CI/CD: through the secrets your platform offers (GitHub Actions secrets, GitLab CI variables, Bitbucket repository variables and so on).
  • On servers: through system environment variables or a secrets manager (HashiCorp Vault, AWS Secrets Manager).
Tip: For every system that uses the API, create its own token with its own name. If one ever leaks, you simply revoke only the affected one and the other integrations keep running without any intervention.

How to revoke a token

  • In the token list find the one you want to revoke and click Revoke.
  • Revocation takes effect immediately - further calls with this token receive a 401 Unauthorized response (the token is invalid).
  • A revoked token cannot be restored. If you need it back, generate a new one.

Go through the list of active tokens every now and then and remove the ones you no longer use. Fewer active tokens means a smaller attack surface.

Was this guide helpful?