We’ve made a small but important improvement to API tokens in StatusGator.
API tokens now support permission levels. When creating a token, you can choose between:
- Full access
- Read-only
That’s it. A simple change that gives you more control and better security.
Why this matters
Until now, API tokens granted full access by default. While this works well for trusted internal systems, many use cases do not actually require write permissions.
For example:
- Displaying status data in a dashboard
- Pulling monitor data into BI tools
- Syncing incidents to a reporting system
- Powering internal visibility tools
With read-only tokens, you can now follow the principle of least privilege: give each token exactly the access it needs and nothing more.
What’s new
When creating a token under API → Add token, you will now see a Permissions option:
- Full access: Can read and modify resources
- Read-only: Can only retrieve data
Everything else about tokens works the same:
- You can optionally set an expiration date
- You can see last used information
- You can manage active and inactive tokens
There are no changes to existing tokens. They continue working as expected.
When to use read-only tokens
We recommend using read-only tokens for:
- Analytics and reporting pipelines
- Status page data pulls
- Internal boards
- Monitoring exports
- Third-party visualization tools
Reserve full access tokens for:
- Automation scripts
- Monitor management
- Incident creation or updates
- Administrative workflows
Better security with a small change
Security improvements do not always need to be complex. Sometimes they are about adding the right guardrails.
By introducing read-only API tokens, we are making it easier to reduce risk, limit blast radius, improve operational hygiene, and align with security best practices.
And best of all, it takes just one click when creating a token.
If you are already using the API, consider reviewing your existing tokens and switching integrations to read-only where possible.
