TrackScore
Documentation/API/Authentication
AuthenticationBearer TokenAPI Key

API Authentication

Secure your API requests with TrackScore's authentication system. Learn how to generate API keys, authenticate requests, and implement secure patterns in your applications.

Authentication Methods

API Key Authentication
Recommended

Simple and secure authentication using API keys. Perfect for server-to-server communication and backend integrations.

Features:

  • • Easy to implement and manage
  • • Per-project key generation
  • • Scoped permissions
  • • Usage tracking and monitoring
  • • Instant revocation
OAuth 2.0 / JWT
Coming Soon

Advanced authentication for user-specific actions and third-party integrations using industry-standard OAuth 2.0.

Features (Planned):

  • • User-specific permissions
  • • Refresh token support
  • • Third-party app authorization
  • • Granular scope control
  • • Session management

Getting Your API Key

Step-by-Step Guide
1

Sign in to TrackScore

Log in to your TrackScore account or create a new one if you haven't already.

2

Navigate to API Settings

Go to your Dashboard → Settings → API Keys to access the API management section.

3

Generate New API Key

Click "Generate New Key", provide a descriptive name, and set the appropriate permissions.

4

Secure Your Key

Copy your API key immediately and store it securely. You won't be able to see it again for security reasons.

Making Authenticated Requests

Bearer Token Authentication

Include your API key in the Authorization header of every request using the Bearer token format.

HTTP Header

Authorization: Bearer YOUR_API_KEY_HERE
Code Examples

cURL

curl -X GET "https://api.trackscore.online/v1/leaderboards" \
  -H "Authorization: Bearer ts_live_1234567890abcdef" \
  -H "Content-Type: application/json"

JavaScript (fetch)

const response = await fetch('https://api.trackscore.online/v1/leaderboards', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer ts_live_1234567890abcdef',
    'Content-Type': 'application/json'
  }
});

const data = await response.json();

Python (requests)

import requests

headers = {
    'Authorization': 'Bearer ts_live_1234567890abcdef',
    'Content-Type': 'application/json'
}

response = requests.get(
    'https://api.trackscore.online/v1/leaderboards',
    headers=headers
)

data = response.json()

API Key Management

Key Types

Live Keys

For production use. Start with ts_live_

Test Keys

For development and testing. Start with ts_test_

Permissions & Scopes

Available Scopes:

  • read:leaderboards - View leaderboards
  • write:leaderboards - Create/update leaderboards
  • read:participants - View participants
  • write:participants - Manage participants
  • admin - Full access

Authentication Errors

Common Error Responses

401 Unauthorized

Error
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key"
  }
}

Your API key is missing, invalid, or has been revoked.

403 Forbidden

Warning
{
  "error": {
    "code": "insufficient_permissions",
    "message": "API key lacks required permissions"
  }
}

Your API key doesn't have permission for this action.

429 Rate Limited

Rate Limit
{
  "error": {
    "code": "rate_limit_exceeded",
    "message": "Too many requests"
  }
}

You've exceeded your rate limit. Wait before making more requests.

Security Best Practices

✓ Do This
  • • Store API keys in environment variables
  • • Use different keys for different environments
  • • Regularly rotate your API keys
  • • Monitor API key usage and access logs
  • • Use the least privilege principle for scopes
  • • Revoke unused or compromised keys immediately
  • • Keep keys out of version control
✗ Avoid This
  • • Hardcoding keys in your source code
  • • Sharing keys via email or chat
  • • Using production keys for testing
  • • Logging API keys in application logs
  • • Exposing keys in client-side JavaScript
  • • Using overly broad permission scopes
  • • Ignoring key rotation schedules