Auth login flow monitoring: what StillOnline can and cannot do
“Can users sign in?” is different from “does /health return 200?” Auth0, Clerk, or cookie sessions may fail while your API process is alive.
StillOnline runs stateless HTTP GET probes — no browser, no OAuth redirect dance, no stored passwords. This guide covers honest alternatives: monitor auth provider status, extend /health with token introspection server-side, and external synthetic login tools when contracts require them.
Quick answer
StillOnline does not perform interactive login or headless browser sign-in. Monitor GET /api/health for API liveness, post Degraded on Login when Auth0 Status or your IdP reports incidents, and optionally add a server-side check route that validates a test refresh token from env (returns 200/503 only — never expose secrets in the response). Free = one URL every five minutes; synthetic login SaaS belongs outside StillOnline. Do not embed production user passwords in check URLs.
What breaks vs what probes see
| Failure | /health alone | StillOnline default probe |
|---|---|---|
| IdP outage (Auth0) | Often 200 | Green — post manual status component |
| Session DB down | 503 on /ready | Red if you monitor /ready |
| Broken OAuth redirect in UI | 200 on API | Green — probe does not click “Sign in” |
| MFA or CAPTCHA on login | N/A | Not supported |
OAuth 2.0 flows need a user agent — outside HTTP GET monitors.
Pattern A — IdP + API health (indie default)
- HTTP check on
api.yourproduct.com/health. - Watch vendor status; manual incident on Login — third-party status.
- Owner alerts via Telegram stay tied to your URL.
Pattern B — Server-side token check route
GET /internal/auth-health
Authorization: Bearer <probe-secret>
→ 200 if test service account token refresh succeeds
→ 503 if Auth0 token endpoint fails
- Gate with secret header or IP allowlist.
- Register URL in StillOnline on Pro if
/healthstays separate. - Rotate secrets in env — never in StillOnline URL field.
StillOnline does not send custom auth headers on Free beyond what the product UI allows — verify current app settings when configuring.
Pattern C — External synthetic monitoring
Playwright/Cypress cron or Checkly/Browserless for full UI login — results can feed a heartbeat URL StillOnline already polls — cron heartbeat.
Free tier boundaries
| Resource | Free limit |
|---|---|
| URL checks per project | 1 |
| Probe interval | 300 s |
| Browser login | Not available |
Upgrade Pro for second URL (/health + /internal/auth-health) — pricing.
Related guides
- Third-party Auth0/Stripe status
- Uptime probes and antibot
- False positive tuning
- Health endpoint design
FAQ
Can StillOnline log in with a test user automatically?
No. Use server-side token validation routes or external browser synthetics.
Auth0 green but our login broken — what now?
Open manual Login incident; debug app config — HTTP probe may stay green.
Does StillOnline support custom Authorization headers on Free?
Configure checks in the app UI per current product capabilities; prefer a dedicated health URL that does not need per-probe secrets when possible.