API Authentication & Keys
Generate API keys, scope them, rotate them, revoke them.
Creating a key
Settings → API Keys → Generate new key. Three things to set: a name a teammate could grep for ("Grafana integration", "Watchdog cron"), the scopes you actually need (least-privilege beats convenience here), and an optional expiry. We surface the key only once — copy it then. We store only a bcrypt hash, so we can't show it to you later, even if you're the same logged-in user.
Format
Keys start with mpk_ (for "monpg key"), followed by 64 hex characters. Total length 68:
mpk_a3f2e4d8c9b1f6...Usage
curl -H "Authorization: Bearer mpk_..." https://api.monpg.app/api/v1/serversRotation without downtime
The drill is generate, swap, revoke:
- Generate a new key with the same scopes.
- Update your integration to use the new one.
- Revoke the old key from Settings → API Keys.
Both keys validate during the overlap. Revocation propagates within seconds — ongoing requests with the old key get 401 once the cache flushes.
Scopes
| Scope | Description |
|---|---|
read:servers | List + get server details, metadata, status |
read:metrics | Time-series metric queries |
read:alerts | List firing/resolved alerts, read rules |
write:alerts | Acknowledge/resolve alert instances (not rule editing) |
read:logs | Log Insights entries + pattern queries |
read:reports | Download scheduled reports + run ad-hoc queries |
admin:billing | Read billing state, invoices, change plan. Restrict to org owner. |
Revocation
Settings → API Keys → Revoke takes effect within 60 seconds (the validation cache TTL). For incident-grade immediate revocation, "Revoke all keys in org" rolls the org's signing salt — every in-flight request 401s at the next validation cycle. Use this when a key has leaked and you can't wait a minute.