Skip to content
Open App

Developer

API Keys

API keys let you connect external tools to your TrackOut account. Use them with the MCP server or any HTTP client to read and write your garage data programmatically.

Creating a key

  1. Go to Settings and find the API Keys section
  2. Click Create API Key
  3. Enter a name to identify the key (e.g., "Claude Code", "Maintenance Script")
  4. Choose the permissions the key should have (see below)
  5. Copy the key immediately -- it is shown only once

Save your key

The full API key is displayed only at creation time. If you lose it, revoke the old key and create a new one.

Permissions

API keys can be scoped to limit what they're allowed to do. This reduces blast radius when handing a key to an external tool or LLM agent.

ScopeWhat it allows
ReadList and view cars, service records, tires, track days, parts, and other garage data (all GET endpoints)
WriteCreate, update, and delete records (all POST, PATCH, DELETE endpoints). Write access always includes read.

Choose the minimum required scope. For example, a key used by a read-only analytics tool should have only the Read scope. A key given to an LLM agent that needs to log service records should have Write (which includes read).

Requests made with a key that lacks the required scope receive a 403 Forbidden response.

Backward compatibility

Keys created before scopes were introduced continue to work with full read + write access.

Managing keys

The API Keys section in Settings shows all active keys with:

  • Name -- the label you gave the key
  • Permissions badge -- shown next to the name for restricted keys (e.g., read-only); full-access keys have no badge
  • Prefix -- the first few characters (e.g., tok_a1b2...) for identification
  • Created date -- when the key was generated
  • Last used -- when the key was last used to make an API call

You can have up to 5 active keys at a time. To create a new key when at the limit, revoke an existing one first.

Revoking a key

Click the trash icon next to any key to revoke it. Revoked keys stop working immediately -- any tool using that key will receive a 401 error.

Security

  • Keys are hashed before storage -- TrackOut never stores the plaintext key
  • Each key is scoped to your account -- it can only access your data
  • Use a separate key per tool so you can revoke access individually
  • Rotate keys periodically, especially if you suspect one may have been exposed
Next
MCP server