API Access & Automation | Xitoring Document
Xitoring Document

API Access & Automation

The Xitoring API provides programmatic access to all monitoring features, enabling automation, custom integrations, and infrastructure-as-code workflows. Whether you're automating check creation or building custom reporting tools, the API gives you complete control.

Overview

API capabilities include:

  • Server Management - Add, configure, and remove servers programmatically
  • Check Management - Create, update, and delete uptime monitoring checks
  • Trigger Configuration - Automate alert rule creation
  • Incident Retrieval - Pull incident data for custom reporting
  • Integration Control - Enable/disable software integrations
  • Metrics Access - Retrieve monitoring data and time-series metrics

External Documentation

Complete API reference, endpoints, and technical examples are available in the external API documentation accessible from your dashboard.

Access: Dashboard → Account → API → View API Documentation

Xitoring API Documentations.

Generating API Keys

Creating Your First API Key

Navigate to: Dashboard → Account → API Access → Generate Key

Steps:

  1. Click "Generate New API Key"
  2. Name your key (e.g., "CI/CD Integration", "Terraform Automation")
  3. Set permissions (full access or limited scope)
  4. Save key immediately - Shown only once!
  5. Store securely (password manager, secrets vault)

Key Information:

  • Keys are displayed only once at creation
  • Lost keys cannot be recovered (regenerate new key instead)
  • Each key has unique identifier for tracking
  • Keys never expire unless manually revoked

Security Critical

API keys grant full account access. If compromised, attacker can:

  • Delete all monitoring
  • Modify alert configurations
  • Access sensitive server data
  • Create/remove integrations

Treat API keys like passwords!

Key Types

Full Access Keys:

  • Complete control over account
  • All API endpoints available
  • Use for trusted automation only
  • Rotate every 90 days

Server Registration Keys:

  • Xitogent Register Keys - Limited to server registration only
  • Cannot access other account data
  • Safe for embedding in infrastructure templates
  • Cannot list existing resources

Managing API Keys

Viewing Existing Keys

Navigate to: Dashboard → Account → API Access → Manage Keys

What You'll See:

  • Key name/description
  • Creation date
  • Last used timestamp
  • Current status (active/revoked)
  • Usage statistics (API calls this month)

Rotating Keys

Best practice: Rotate every 90 days

Rotation Process:

  1. Generate new API key
  2. Update all integrations/scripts with new key
  3. Test integrations with new key
  4. Revoke old key only after successful migration
  5. Monitor for any systems still using old key

Gradual Migration:

  • Keep both keys active during transition
  • Monitor "last used" timestamp on old key
  • Revoke old key when timestamp stops updating

Revoking Keys

Immediately revoke when:

  • Key accidentally committed to public repository
  • Team member with key access leaves company
  • Suspected unauthorized use
  • Key no longer needed

How to revoke:

  1. Account → API Access → Manage Keys
  2. Select key to revoke
  3. Click "Revoke"
  4. Confirm revocation
  5. Key becomes invalid immediately (any in-flight requests fail)

Track Key Usage

Name keys descriptively ("GitHub Actions - Production", "Ansible Automation", "Data Export Script") to identify impact when rotating or revoking.

API Security Best Practices

Storage

✅ DO:

  • Store in environment variables
  • Use secrets management service (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault)
  • Encrypt keys at rest
  • Use password manager for manual storage

❌ DON'T:

  • Hardcode in application code
  • Commit to version control (Git)
  • Share via email/chat
  • Store in plain text files
  • Log keys in application logs

Access Control

Limit who can generate/view keys:

  • Only admin users should access API keys
  • Audit key generation events
  • Review key usage regularly
  • Follow principle of least privilege

Rotation Policy

Recommended schedule:

  • Production keys: Every 90 days
  • Development keys: Every 180 days
  • Compromised keys: Immediately
  • Inactive keys: Revoke after 30 days unused

Monitoring

Watch for suspicious activity:

  • API calls from unexpected IP addresses
  • Unusual call volume (potential abuse)
  • Failed authentication attempts
  • After-hours API usage (if not expected)

API Use Cases

Infrastructure as Code

Automate monitoring alongside infrastructure:

# Example: Provision server, install monitoring
terraform apply                    # Create cloud VM
ssh new-server "curl install.sh"   # Install Xitogent
curl -X POST api.xitoring.com/checks -H "Authorization: Bearer $API_KEY"

Benefits:

  • Monitoring configured with infrastructure
  • New environments automatically monitored
  • Consistent monitoring across deployments
  • Version-controlled monitoring configuration

CI/CD Integration

Integrate monitoring into deployment pipelines:

  • Create uptime checks for newly deployed services
  • Update check URLs after blue-green deployments
  • Pause checks during deployments (avoid false alerts)
  • Re-enable monitoring after deployment completes

Common patterns:

  1. Pre-deployment: Pause relevant checks
  2. Deploy: Update application
  3. Post-deployment: Update check URLs via API
  4. Verification: Resume checks, monitor for incidents

Custom Reporting

Extract metrics for business reporting:

  • Pull uptime percentages for SLA reports
  • Retrieve incident counts for management dashboards
  • Aggregate performance metrics across services
  • Build custom analytics on monitoring data

Automated Remediation

Respond to incidents programmatically:

  • Webhook receives incident notification
  • Script retrieves incident details via API
  • Automated diagnostics run (disk cleanup, restart services)
  • Incident marked resolved via API after fix

Bulk Operations

Manage monitoring at scale:

  • Create 100 checks from CSV file
  • Update notification roles across all triggers
  • Enable integration on all database servers
  • Mass-update check intervals during maintenance

Getting Started

Quick Test (cURL Example)

Verify your API key works:

# Replace YOUR_API_KEY with actual key
curl -H "Authorization: Bearer YOUR_API_KEY" \
     https://api.xitoring.com/v1/account

Expected Response:

{
  "status": "success",
  "data": {
    "account_id": "...",
    "plan": "...",
    "usage": { ... }
  }
}

If authentication fails:

  • Verify key copied correctly (no extra spaces)
  • Check key not revoked
  • Confirm request headers properly formatted

Next Steps

  1. Read API Documentation - Dashboard → Account → API → Documentation
  2. Start Simple - Begin with GET requests (read-only)
  3. Test in Development - Use sub-account or staging environment
  4. Handle Errors - Implement retry logic and error handling
  5. Monitor Usage - Track API call quotas (if applicable)

Webhooks (Outbound API)

Xitoring can call your API when events occur:

  • Incident Webhooks - Notify your systems of incidents
  • Payload - JSON with incident details, affected check, timestamps
  • Authentication - Configure custom headers for webhook authentication
  • Retry Logic - Xitoring retries failed webhooks automatically

See: Webhook Notification Channel for webhook configuration.

Frequently Asked Questions

Where is the complete API documentation? Dashboard → Account → API Access → View Documentation (links to external API docs)

Can I use API keys across multiple accounts/sub-accounts? No. Each API key is scoped to the account where it was generated. Sub-accounts need separate keys.

Is there a cost for API usage? No. API access included in all plans.

What happens to API keys if I downgrade my plan? Keys remain active. API functionality included in all plans.

How do I recover a lost API key? You can't. Keys shown only once at creation. Generate new key and revoke lost one.

Can I see which API key made which API call? Yes. Activity logs show API key ID for all API-initiated actions.

Is the API versioned? Yes. Current version: v1. Breaking changes result in new version (v2), with v1 supported for transition period.

Troubleshooting

Authentication Failures

Error: 401 Unauthorized

Solutions:

  • Verify API key copied correctly
  • Check key not revoked
  • Ensure Authorization: Bearer YOUR_KEY header present
  • Confirm no extra spaces in key value

Permission Denied

Error: 403 Forbidden

Solutions:

  • Key may have limited permissions (read-only trying to write)
  • Operation requires higher privilege level
  • Check account permissions settings

Resource Not Found

Error: 404 Not Found

Solutions:

  • Verify resource ID correct
  • Check resource exists in your account
  • Confirm endpoint URL correct (typos)
  • Ensure using correct API version (/v1/)

Rate Limited

Error: 429 Too Many Requests

Solutions:

  • Implement exponential backoff
  • Reduce request frequency
  • Batch operations if possible
  • Contact support if legitimate high-volume usage

See Also

External API Documentation: Access complete endpoint reference, request/response examples, and technical specifications from Dashboard → Account → API Access → View Documentation

Last Updated: