Trust Center
How Drumbeats handles security — authentication, the ping endpoint model, payload handling, public status pages, notification channels, and security contact.
This page documents the security-relevant behaviour Drumbeats exposes today. It is intentionally narrow — it covers what the product actually does, not certifications or compliance programs that are not in place. If you need a customer security review, security questionnaire, or a deeper discussion of deployment expectations, contact the Drumbeats team directly using the security contact below.
Authentication and access control
Drumbeats authenticates users and management API clients through a small set of well-defined surfaces.
- Email and password authentication with email verification and password-reset flows.
- Short-lived access tokens plus refresh-token flows for authenticated dashboard sessions.
- Project-scoped API keys for the management REST API —
dk_live_<26-char-random>format, passed in theX-API-Keyheader. Each key is project-scoped and inherits the creator's role. - Bearer-token authentication is also accepted on management endpoints for compatibility.
- Project-scoped RBAC with four roles:
OWNER,MANAGER,MEMBER,READONLY. See Workspace setup for what each role can do. - Optional TOTP per user for two-factor authentication.
- Project-level 2FA enforcement that blocks members without TOTP from accessing the project — the API returns
TOTP_REQUIRED_FOR_PROJECTuntil the user enrols.
Ping endpoint model
Monitor ping endpoints are intentionally low-friction so jobs can report status with a single HTTP request. There is no header authentication on the Ping API — the monitor UUID embedded in the URL is the credential.
This means a ping URL is an operational secret. Treat it like one:
- Do not paste monitor URLs into public repositories, Slack channels with unknown membership, or screenshots.
- Recreate (rotate) the monitor if you suspect a ping URL has been exposed. Drumbeats does not currently support rotating just the ID — you delete the monitor and recreate it.
- Prefer the project-slug URL form (
/v1/s-ping/<project-id>/<monitor-slug>/...) only when your operational process keeps the project ID safe.
Payload and log handling
Drumbeats stores payloads and progress logs attached to pings. Payloads are visible to every member of the project that owns the monitor.
Operational guidance:
- Do not send passwords, API tokens, or secrets in payloads. Strip them at the script level before sending — Drumbeats does not perform automatic secret detection.
- Keep payloads focused. Large payloads cost more Beats and may spill to object storage; both are accounted for transparently in usage, but neither is a substitute for sanitization.
- Use
logevents for useful context — not full raw dumps of sensitive data.
See Payloads & logs for the conceptual model and Ping API — Payloads for the size limits.
Public status pages
Status pages are intentionally public when enabled. Controls available today:
- Per-monitor enablement (
is_active). - Optional display name and description.
- Optional incident-history visibility (
show_incidents). - Optional
noindexto discourage search-engine indexing — the page remains publicly accessible;noindexis a hint to crawlers. - Vanity slug routing on Pro and Business plans.
If a status page should not be public, disable it. noindex is not an access control.
See Status pages for the full configuration model.
Notification channel handling
Notification channels can contain operationally sensitive destinations — email recipient lists, Slack and Discord webhook targets, Telegram chat connections, and custom webhook endpoints with their own headers (including auth).
- Channel credentials (Slack tokens, webhook secrets, etc.) are stored encrypted and are never returned by the REST API — Notification Channels endpoint.
- Use project roles carefully —
MANAGERis required to create or modify channels. - Review who has
MANAGERorOWNERaccess on production projects.
What this page does not claim
This page does not claim certifications or compliance programs that are not currently in place. If you need a customer security review or a deeper discussion of deployment expectations, contact the Drumbeats team directly.
Security contact
For security questions or responsible disclosure, email support@drumbeats.io and include Security in the subject line. The team will acknowledge security reports promptly and coordinate disclosure timing.
Related guides
- Workspace setup — onboarding, project roles, and TOTP enforcement.
- REST API overview — the authentication surface for management endpoints.
- Notifications: channels — channel-type setup and the operational risk of misrouted channels.
- Support — general troubleshooting and contact info.