Authentication details can evolve as API coverage expands. Use this page as the current guide to how Watchman Tower handles authenticated API access.

Overview

API keys provide programmatic access to Watchman Tower. Each key can:
  • Grant account access with configurable permissions
  • Remain active until revoked
  • Be revocable at any time
  • Require secure storage

Base URL

API requests are made to: 
https://api.watchmantower.com/public/v1

Authentication Method

API keys can be passed via the Authorization header: 
GET /public/v1/sites HTTP/1.1
Host: api.watchmantower.com
Authorization: Bearer wmt_api_a1b2c3d4e5f6g7h8i9j0...
Or using the custom header: 
GET /public/v1/sites HTTP/1.1
Host: api.watchmantower.com
x-api-key: wmt_api_a1b2c3d4e5f6g7h8i9j0...

Key Format

API keys follow this format: 
wmt_api_[48 characters of alphanumeric]
Example: 
wmt_api_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2

Generating API Keys

API keys are managed through:
  1. Dashboard: Settings → API Keys → Generate New Key
  2. API Endpoint: Create keys programmatically (requires existing key)
Keys may include:
  • Name: Descriptive identifier (e.g., “CI/CD Pipeline”, “Production”)
  • Permissions: Read-only or full access
  • Expiration: Optional expiration date
  • IP Whitelist: Optional IP restrictions (Enterprise)

Key Permissions

Read-Only Access

Typical read-only access allows:
  • List and view monitors
  • Get monitor status and metrics
  • View incidents and history
  • Access uptime data
It does not allow:
  • Creating or modifying monitors
  • Changing alert settings
  • Managing team members
  • Deleting resources

Full Access

Full access allows:
  • All read operations
  • Create, update, delete monitors
  • Configure alerts and integrations
  • Manage account settings

Security Best Practices

Environment Variables

Store keys in environment variables, never in source code

Separate Keys

Use different keys for different services and environments

Minimum Permissions

Use read-only keys when write access isn’t needed

Regular Rotation

Rotate keys every 90 days or when team members change

Monitor Usage

Review key usage regularly and revoke unused keys

Never Commit

Add keys to .gitignore and use placeholder values in version control

Rate Limiting

API usage can be subject to rate limits based on plan and endpoint behavior: Refer to response headers and the current product documentation for the latest rate limit behavior in your workspace. Example response headers: 
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 987
X-RateLimit-Reset: 1700583600

Error Responses

Authentication errors return standard HTTP status codes:
StatusCodeDescription
401UNAUTHORIZEDInvalid or missing API key
403FORBIDDENInsufficient permissions for operation
429RATE_LIMITEDRate limit exceeded
Example error response: 
{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid API key"
  }
}

Staying Current

For the latest authentication behavior, key management options, and endpoint coverage, review the current dashboard and API docs together.

Next Steps

API Overview

Learn about the API

Create Site

Create a new monitoring site

Dashboard

Use the dashboard to manage API-related workflows

Webhooks

Learn about webhook-related alert workflows