Trust Center

How Drumbeats handles security — authentication, the ping endpoint model, payload handling, public status pages, notification channels, and security contact.

This page documents the security-relevant behaviour Drumbeats exposes today. It is intentionally narrow — it covers what the product actually does, not certifications or compliance programs that are not in place. If you need a customer security review, security questionnaire, or a deeper discussion of deployment expectations, contact the Drumbeats team directly using the security contact below.

Authentication and access control

Drumbeats authenticates users and management API clients through a small set of well-defined surfaces.

  • Email and password authentication with email verification and password-reset flows.
  • Short-lived access tokens plus refresh-token flows for authenticated dashboard sessions.
  • Project-scoped API keys for the management REST API — dk_live_<26-char-random> format, passed in the X-API-Key header. Each key is project-scoped and inherits the creator's role.
  • Bearer-token authentication is also accepted on management endpoints for compatibility.
  • Project-scoped RBAC with four roles: OWNER, MANAGER, MEMBER, READONLY. See Workspace setup for what each role can do.
  • Optional TOTP per user for two-factor authentication.
  • Project-level 2FA enforcement that blocks members without TOTP from accessing the project — the API returns TOTP_REQUIRED_FOR_PROJECT until the user enrols.

Ping endpoint model

Monitor ping endpoints are intentionally low-friction so jobs can report status with a single HTTP request. There is no header authentication on the Ping API — the monitor UUID embedded in the URL is the credential.

This means a ping URL is an operational secret. Treat it like one:

  • Do not paste monitor URLs into public repositories, Slack channels with unknown membership, or screenshots.
  • Recreate (rotate) the monitor if you suspect a ping URL has been exposed. Drumbeats does not currently support rotating just the ID — you delete the monitor and recreate it.
  • Prefer the project-slug URL form (/v1/s-ping/<project-id>/<monitor-slug>/...) only when your operational process keeps the project ID safe.

Payload and log handling

Drumbeats stores payloads and progress logs attached to pings. Payloads are visible to every member of the project that owns the monitor.

Operational guidance:

  • Do not send passwords, API tokens, or secrets in payloads. Strip them at the script level before sending — Drumbeats does not perform automatic secret detection.
  • Keep payloads focused. Large payloads cost more Beats and may spill to object storage; both are accounted for transparently in usage, but neither is a substitute for sanitization.
  • Use log events for useful context — not full raw dumps of sensitive data.

See Payloads & logs for the conceptual model and Ping API — Payloads for the size limits.

Public status pages

Status pages are intentionally public when enabled. Controls available today:

  • Per-monitor enablement (is_active).
  • Optional display name and description.
  • Optional incident-history visibility (show_incidents).
  • Optional noindex to discourage search-engine indexing — the page remains publicly accessible; noindex is a hint to crawlers.
  • Vanity slug routing on Pro and Business plans.

If a status page should not be public, disable it. noindex is not an access control.

See Status pages for the full configuration model.

Notification channel handling

Notification channels can contain operationally sensitive destinations — email recipient lists, Slack and Discord webhook targets, Telegram chat connections, and custom webhook endpoints with their own headers (including auth).

  • Channel credentials (Slack tokens, webhook secrets, etc.) are stored encrypted and are never returned by the REST API — Notification Channels endpoint.
  • Use project roles carefully — MANAGER is required to create or modify channels.
  • Review who has MANAGER or OWNER access on production projects.

What this page does not claim

This page does not claim certifications or compliance programs that are not currently in place. If you need a customer security review or a deeper discussion of deployment expectations, contact the Drumbeats team directly.

Security contact

For security questions or responsible disclosure, email support@drumbeats.io and include Security in the subject line. The team will acknowledge security reports promptly and coordinate disclosure timing.