1

Heartbeat-Protocol

Jonathan Miller edited this page 2026-06-22 13:47:47 +00:00

Table of Contents

• Heartbeat Protocol
• Endpoint
• Authentication
• Signature Verification
• Response
• Error Codes
• Auto-Registration

Heartbeat Protocol

Endpoint

POST {hq_base_url}/api/index.php/v1/mokosuitehq/heartbeat

Authentication

1. RSA Signature: X-MokoSuite-Signature header (base64-encoded)
2. Timestamp: X-MokoSuite-Timestamp header (Unix timestamp)
3. Per-site Token: token field in JSON body

Signature Verification

Message: {domain}|{timestamp}|{token} Algorithm: OPENSSL_ALGO_SHA256 Max age: 300 seconds (replay protection)

Response

{"status": "ok", "site_id": 1, "received": "2026-06-21 12:00:00"}

Error Codes

Code	Meaning
401	Missing token or domain
403	Missing/invalid/expired signature
500	Server error
503	RSA verification not configured

Auto-Registration

On first heartbeat from an unknown domain, HQ auto-registers the site. Token rotation is allowed when RSA signature is valid (reinstall scenario).

Pages

• Heartbeat-HQ-Integration
• Heartbeat-Protocol
• Home
• Mirror-Domains-Staging
• Privacy-Guard
• Security-Firewall
• guides
  • Configuration
  • Installation
• reference
  • API Endpoints
  • Grafana Integration
  • Health Monitoring
  • Plugin Protection
  • health endpoint