Skip to main content
By the end of this guide, you’ll have an HTTP monitor securely checking an endpoint that requires authentication, with credentials stored in the DevHelm vault.
  • DevHelm CLI installed or an API token
  • An API endpoint that requires authentication
  • Credentials for that endpoint (API key, bearer token, or basic auth)

Supported auth types

DevHelm supports four authentication methods for HTTP monitors:
TypeDescriptionHeader format
bearerBearer tokenAuthorization: Bearer <token>
basicUsername + passwordAuthorization: Basic <base64>
api_keyAPI key in a query parameter or headerConfigurable
headerCustom header with a static valueAny header name

Store credentials in the vault

Never put credentials directly in your config files. Store them in the DevHelm vault: 
devhelm secrets set API_BEARER_TOKEN=your-secret-token
For YAML-based config, reference vault secrets with ${VAR} syntax. For CLI-created monitors, use the --vault-secret-id flag.

Create an authenticated monitor

Bearer token

monitors:
  - name: Private API Health
    type: HTTP
    config:
      url: https://api.example.com/private/health
      method: GET
    auth:
      type: bearer
      vaultSecretId: "your-vault-secret-id"
    frequencySeconds: 60
    regions:
      - us-east

Basic auth

monitors:
  - name: Admin Panel
    type: HTTP
    config:
      url: https://admin.example.com/health
    auth:
      type: basic
      username: monitor-user
      vaultSecretId: "basic-auth-password-secret-id"
    frequencySeconds: 300
    regions:
      - us-east

API key

monitors:
  - name: Third-Party API
    type: HTTP
    config:
      url: https://api.vendor.com/v1/status
    auth:
      type: api_key
      paramName: x-api-key
      vaultSecretId: "vendor-api-key-secret-id"
    frequencySeconds: 300
    regions:
      - us-east

Custom header

monitors:
  - name: Internal Service
    type: HTTP
    config:
      url: https://internal.example.com/health
    auth:
      type: header
      headerName: X-Internal-Token
      vaultSecretId: "internal-token-secret-id"
    frequencySeconds: 60
    regions:
      - us-east

Custom headers (alternative)

For simple cases, you can also pass headers directly in the HTTP config: 
monitors:
  - name: API with Custom Header
    type: HTTP
    config:
      url: https://api.example.com/status
      customHeaders:
        X-Custom-Auth: ${CUSTOM_AUTH_TOKEN}
    frequencySeconds: 60
    regions:
      - us-east
The auth configuration is preferred over customHeaders for credentials because vault secrets are encrypted at rest and never logged.

Troubleshooting

Verify the vault secret value is correct: devhelm secrets list shows secret names but not values. Recreate the secret if in doubt.
The credentials are valid but lack permission. Check that the API key or token has read access to the health endpoint.
Some APIs restrict access by IP. Ensure DevHelm probe IPs are allowlisted. Contact support for the current probe IP ranges.

Next steps

HTTP monitor reference

Full HTTP configuration and auth details.

Monitors guide

Configure all monitor types with code examples.

Monitoring as Code

Manage authenticated monitors in YAML.