# Can I monitor authenticated sites?

Yes. Every uptime check supports [custom headers and payloads](/docs/features/configure-your-oh-dear-settings-per-monitor#custom-http-headers), so you can send cookies, bearer tokens, HTTP Basic authentication, or any other credentials your endpoint requires.

Common patterns we see:

- **HTTP Basic auth**: add an `Authorization: Basic ...` header
- **Bearer tokens**: add `Authorization: Bearer <token>`
- **Custom API keys**: add your service's specific header (`X-Api-Key: ...`, `X-Auth-Token: ...`)
- **Session cookies**: paste the `Cookie` header value

If you're protecting a site with HTTP Basic auth, our blog post ["How to monitor websites behind HTTP basic authentication"](/news-and-updates/how-to-monitor-websites-behind-http-basic-authentication) walks through the setup in detail.

Rotating credentials regularly is a good idea (for everyone, not just us). When you rotate, update the monitor's custom headers so your uptime checks keep passing.