For developers and integrators

Built API-First

Access your data. Build integrations. Extend the platform.

Every screen in the Tracker Pull admin is backed by the same versioned REST API your integrations use — over 60 documented endpoints, Sanctum-authenticated, with generated TypeScript types and an interactive docs portal.

What You Get

Not just an API — a documented, typed, versioned platform contract.

Interactive Docs

Browse every endpoint, request schema, and response shape at api.trackerpull.ca/docs. Powered by Scribe.

Generated TypeScript Types

Drop /docs/api-types.ts into your project. Every resource shape, request body, and enum — fully typed.

OpenAPI & Postman

Spec at /docs/openapi.yaml. Postman collection at /docs/collection.json. Import in seconds.

Versioned (v1)

Every route is prefixed /v1/. Future versions ship side-by-side; nothing breaks under your feet.

Authentication & token scopes

Tokens You Can Trust to a Coworker

Authentication is Laravel Sanctum bearer tokens. Every token carries one or more scopesread, write, or admin — so a token for a public scoreboard can only read, never accidentally delete an event.

  • · read — pull events, results, standings, photos
  • · write — create registrations, enter results, upload photos
  • · admin — destructive ops, points recalculation, mark-official

Token-scope checks live in middleware on every protected route — there's no "well, the front-end usually hides that button" hand-waving.

Login & authenticated request
# 1. Authenticate — returns a Sanctum bearer token
curl -X POST https://api.trackerpull.ca/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@org.ca","password":"…"}'

# Response
{
  "token": "1|abc…",
  "user": { "id": 42, "name": "…" }
}

# 2. Call a protected endpoint
curl https://api.trackerpull.ca/v1/auth/user \
  -H "Authorization: Bearer 1|abc…"
Endpoint surface

60+ Endpoints, Organized by What They Do

Public reads need no token. Authenticated reads and writes use bearer auth with scope checks. Below is the shape — full request/response detail lives in the interactive docs.

Public Reads

No token · 60 req/min by IP

  • GET /v1/events & /v1/events/{event}
  • GET /v1/events/{event}/classes · /results
  • GET /v1/events/slug/{slug}/results
  • GET /v1/events/{event}/dates/{d}/pull-order
  • GET /v1/organizations/{org}/standings
  • GET /v1/organizations/{org}/people · /vehicles
  • GET /v1/locations · /vehicle-types · /class-types
  • GET /v1/rules · /announcements · /documents
  • GET /v1/photo-galleries · /photos
  • GET /v1/form-availabilities

Mobile App Feed

Public · usage-tracked

  • GET /v1/app/events
  • GET /v1/app/events/current
  • GET /v1/app/events/{event}
  • GET /v1/app/events/{e}/dates/{d}/tracks
  • GET /v1/app/classes/{id}/results

Optimized payloads for mobile clients. Same authentication and rate-limit rules as public reads.

Authenticated Writes

Bearer token · scope: write or admin

  • POST/PUT /v1/organizations/{org}/events
  • POST/PUT /v1/organizations/{org}/people
  • POST /v1/organizations/{org}/rules
  • POST/PUT /v1/vehicles · /event-classes
  • POST /v1/class-participants
  • POST /v1/class-participants/{id}/update-distance
  • POST /v1/event-classes/{c}/calculate-points
  • POST /v1/events/{e}/csv-imports/preview
  • POST /v1/events/{e}/csv-imports

System & Health

Status checks & auth

  • GET /v1/status — uptime & health
  • POST /v1/auth/login · /auth/register
  • POST /v1/auth/logout
  • GET /v1/auth/user — current user
Multi-tenant by URL

Organization Lives in the Path

Routes that act on org-owned data put the organization right in the URL — /v1/organizations/{org}/standings, /v1/organizations/{org}/people, etc. There's no implicit context to forget to pass. Authenticated mutations layer an org.access check so a token for Org A literally cannot write to Org B.

Rate limits & quotas

Tiered Rate Limiting

Limits are enforced per route group. Standard X-RateLimit-Limit / X-RateLimit-Remaining headers on every response.

60/min

Public

By IP. Covers all unauthenticated reads, mobile app feed, login, and registration.

120/min

Authenticated

By user. Anything behind auth:sanctum — writes, mutations, scoped reads.

Tight  

Auth Endpoints

Login, registration, and password reset use combined per-email and per-IP throttles — calibrated to stop brute force without locking out legitimate users.

Higher limits available for integration partners — get in touch.

Webhooks

Push-Side Integration

The platform handles inbound webhooks today (mail provider delivery events) and the outbound webhook surface is on the roadmap. If you want to be notified of result entries or status changes instead of polling, let us know what events would unlock your integration.

Inbound — Available Now

SMTP2Go delivery, bounce, and complaint events post to /v1/webhooks/smtp2go/{secret} with a shared-secret URL token. The receiving controller verifies in constant time.

Outbound — On the Roadmap

Subscribe to events like result.created, event.marked_official, or registration.paid. Reach out about your use case to shape priority.

What People Build With It

Anything the admin can do, the API can — because the admin is built on it.

Embedded Live Results

Drop live standings and current-class data into your existing organization website. No iframes, no scraping, just JSON.

Venue Scoreboards

Drive a track-side display directly from the recent-results endpoint. Refresh on a timer, no admin login needed at the venue.

System Sync

Sync members and vehicles into your accounting or CRM system on a schedule. The org-scoped routes make multi-tenant sync trivial.

Custom Apps

Tracker Pull's own mobile app is built on these endpoints — the surface area is proven by the production client.

Interested in API access?

Get in touch to set up a token, request additional scopes, or talk through your integration. Sample collections and TypeScript types are ready to hand over.

Contact Us