trackagoat logotrackagoat/Docs

Getting started

  • Welcome
  • Quickstart
  • Core concepts

Guides

  • Creators
  • Videos
  • Campaigns
  • Creator Goals
  • Tracking Inbox
  • Content calendar
  • How scraping works
  • Analytics & metrics
  • Similar creator pools
  • Over-posting & suppression
  • Program Health
  • Sentiment Radar
  • API keys
  • Limits & plan tiers
  • Notifications
  • Payouts

API reference

  • Overview
  • Authentication
  • Errors
  • Projects
  • Creators
  • Videos
  • Campaigns
  • Analytics
  • Aggregate Analytics
  • Goal Compliance
  • Payouts
  • Schema

For agents

  • Agent guide
  • Data model
  • MCP & tooling

Platform

  • Brand
  • Changelog
  • Support
DocsAPI reference

Authentication

How to authenticate with the trackagoat v1 API using API key Bearer tokens.

PreviousOverviewNextErrors

On this page

  • Getting an API key
  • Using the key
  • Key format
  • Org scoping
  • Permission scopes
  • Errors

All v1 API requests require an API key. Keys are scoped to the organization of the user who created them.

Getting an API key

Generate a key in the app: Org settings → API keys → + New API key.

One-time reveal

The full key (tga_<64 hex chars>) is shown once at creation. Copy it immediately: trackagoat stores only a hash and cannot recover the plaintext.

See API keys guide for step-by-step instructions.

Using the key

Include the key as a Bearer token on every request:

bash
Authorization: Bearer tga_<your-key>

Example:

bash
curl -H "Authorization: Bearer tga_abc123" \
  https://www.trackagoat.com/api/v1/projects

Key format

text
tga_<64 lowercase hex characters>

Example: tga_a1b2c3d4e5f6... (64 hex chars after the prefix).

Org scoping

Keys are org-scoped: all data returned is limited to the organization the key belongs to. A key can only read and write data inside its own org.

Permission scopes

Each key carries one or more permission scopes, chosen at creation time. The scope controls which HTTP methods the key may use:

ScopeGrants
readAll GET endpoints
writeAll POST, PATCH, and DELETE endpoints (in addition to reads if read is also granted)
adminPlatform-admin-only endpoints under /api/v1/admin/* (the key owner must also be a platform admin)

New keys default to ['read', 'write'] unless you narrow the scopes at creation.

A write request made with a read-only key is rejected with 403 and meta.code = "insufficient_scope":

json
{
  "data": null,
  "error": "This action requires the 'write' scope. Granted: [read]",
  "meta": { "code": "insufficient_scope", "required": "write", "granted": ["read"] }
}

This applies to every mutating endpoint, including all payout writes (payout-methods, payout-structures, payout-payments, payout-accruals, their [id] sub-routes, and annotation writes).

Errors

Statusmeta.codeCause
401invalid_api_keyMissing, malformed, invalid, or expired Authorization header / key
403insufficient_scopeKey is valid but lacks the scope required for this method
403:Key is valid but the org or user is banned
429rate_limit_exceededPer-key sliding-window (60 req/min) or daily quota exceeded
json
{
  "data": null,
  "error": "Invalid or expired API key",
  "meta": { "code": "invalid_api_key" }
}

API keys guide

Step-by-step instructions for creating and managing API keys.

Errors reference

Status codes, rate limits, and error response shapes.