Built API-First
Access your data. Build integrations. Extend the platform.
Every screen in the Tracker Pull admin is backed by the same versioned REST API your integrations use — over 60 documented endpoints, Sanctum-authenticated, with generated TypeScript types and an interactive docs portal.
What You Get
Not just an API — a documented, typed, versioned platform contract.
Interactive Docs
Browse every endpoint, request schema, and response shape at api.trackerpull.ca/docs. Powered by Scribe.
Generated TypeScript Types
Drop /docs/api-types.ts into your project. Every resource shape, request body, and enum — fully typed.
OpenAPI & Postman
Spec at /docs/openapi.yaml. Postman collection at /docs/collection.json. Import in seconds.
Versioned (v1)
Every route is prefixed /v1/. Future versions ship side-by-side; nothing breaks under your feet.
Tokens You Can Trust to a Coworker
Authentication is Laravel Sanctum bearer tokens. Every token carries one or more scopes — read, write, or admin — so a token for a public scoreboard can only read, never accidentally delete an event.
- ·
read— pull events, results, standings, photos - ·
write— create registrations, enter results, upload photos - ·
admin— destructive ops, points recalculation, mark-official
Token-scope checks live in middleware on every protected route — there's no "well, the front-end usually hides that button" hand-waving.
# 1. Authenticate — returns a Sanctum bearer token
curl -X POST https://api.trackerpull.ca/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"you@org.ca","password":"…"}'
# Response
{
"token": "1|abc…",
"user": { "id": 42, "name": "…" }
}
# 2. Call a protected endpoint
curl https://api.trackerpull.ca/v1/auth/user \
-H "Authorization: Bearer 1|abc…" 60+ Endpoints, Organized by What They Do
Public reads need no token. Authenticated reads and writes use bearer auth with scope checks. Below is the shape — full request/response detail lives in the interactive docs.
Public Reads
No token · 60 req/min by IP
- GET /v1/events & /v1/events/{event}
- GET /v1/events/{event}/classes · /results
- GET /v1/events/slug/{slug}/results
- GET /v1/events/{event}/dates/{d}/pull-order
- GET /v1/organizations/{org}/standings
- GET /v1/organizations/{org}/people · /vehicles
- GET /v1/locations · /vehicle-types · /class-types
- GET /v1/rules · /announcements · /documents
- GET /v1/photo-galleries · /photos
- GET /v1/form-availabilities
Mobile App Feed
Public · usage-tracked
- GET /v1/app/events
- GET /v1/app/events/current
- GET /v1/app/events/{event}
- GET /v1/app/events/{e}/dates/{d}/tracks
- GET /v1/app/classes/{id}/results
Optimized payloads for mobile clients. Same authentication and rate-limit rules as public reads.
Authenticated Writes
Bearer token · scope: write or admin
- POST/PUT /v1/organizations/{org}/events
- POST/PUT /v1/organizations/{org}/people
- POST /v1/organizations/{org}/rules
- POST/PUT /v1/vehicles · /event-classes
- POST /v1/class-participants
- POST /v1/class-participants/{id}/update-distance
- POST /v1/event-classes/{c}/calculate-points
- POST /v1/events/{e}/csv-imports/preview
- POST /v1/events/{e}/csv-imports
System & Health
Status checks & auth
- GET /v1/status — uptime & health
- POST /v1/auth/login · /auth/register
- POST /v1/auth/logout
- GET /v1/auth/user — current user
Organization Lives in the Path
Routes that act on org-owned data put the organization right in the URL — /v1/organizations/{org}/standings, /v1/organizations/{org}/people, etc. There's no implicit context to forget to pass. Authenticated mutations layer an org.access check so a token for Org A literally cannot write to Org B.
Tiered Rate Limiting
Limits are enforced per route group. Standard X-RateLimit-Limit / X-RateLimit-Remaining headers on every response.
Public
By IP. Covers all unauthenticated reads, mobile app feed, login, and registration.
Authenticated
By user. Anything behind auth:sanctum — writes, mutations, scoped reads.
Auth Endpoints
Login, registration, and password reset use combined per-email and per-IP throttles — calibrated to stop brute force without locking out legitimate users.
Higher limits available for integration partners — get in touch.
Push-Side Integration
The platform handles inbound webhooks today (mail provider delivery events) and the outbound webhook surface is on the roadmap. If you want to be notified of result entries or status changes instead of polling, let us know what events would unlock your integration.
Inbound — Available Now
SMTP2Go delivery, bounce, and complaint events post to /v1/webhooks/smtp2go/{secret} with a shared-secret URL token. The receiving controller verifies in constant time.
Outbound — On the Roadmap
Subscribe to events like result.created, event.marked_official, or registration.paid. Reach out about your use case to shape priority.
What People Build With It
Anything the admin can do, the API can — because the admin is built on it.
Embedded Live Results
Drop live standings and current-class data into your existing organization website. No iframes, no scraping, just JSON.
Venue Scoreboards
Drive a track-side display directly from the recent-results endpoint. Refresh on a timer, no admin login needed at the venue.
System Sync
Sync members and vehicles into your accounting or CRM system on a schedule. The org-scoped routes make multi-tenant sync trivial.
Custom Apps
Tracker Pull's own mobile app is built on these endpoints — the surface area is proven by the production client.
Interested in API access?
Get in touch to set up a token, request additional scopes, or talk through your integration. Sample collections and TypeScript types are ready to hand over.
Contact Us