Authentication
Secure your API requests with API key authentication.
Bearer Scheme
All API requests must include a valid API key in the Authorization header using the Bearer scheme:
GET /fleet/vehicles HTTP/1.1
Host: publicapi.app.eztotrack.com
Authorization: Bearer ezt_live_abc123...Getting an API Key
API keys can be created through:
- The EZToTrack Dashboard — navigate to Settings > API Keys
- The Admin API — use the WebApiV2 admin endpoint
POST http://localhost:5000/api/v2/api-keys
Authorization: Bearer <your-jwt-token>
Content-Type: application/json
{
"name": "My Integration",
"scopes": ["vehicles:read", "drivers:read", "hos:read"]
}Save Your Key
The API key is only displayed once when created. Store it securely — it cannot be retrieved again.
API Key Prefixes
| Prefix | Environment | Description |
|---|---|---|
ezt_live_ | Production | Access production fleet data |
ezt_test_ | Test | Access sandbox data for development |
Authorization Scopes
API keys are scoped to specific permissions. Requests to endpoints requiring a scope your key does not have will return 403 Forbidden.
| Scope | Description | Endpoints |
|---|---|---|
vehicles:read |
List and view vehicles, locations, and stats | /fleet/vehicles/* |
drivers:read |
List and view drivers | GET /fleet/drivers/* |
drivers:write |
Create and update drivers | POST, PATCH /fleet/drivers/* |
hos:read |
View HOS clocks, logs, daily logs, and violations | /fleet/hos/* |
IP Allowlist
API keys can optionally be restricted to specific IP addresses. When configured, requests from IPs not in the allowlist return 403 Forbidden. This adds an extra layer of security for production keys.
Error Responses
| Status Code | Meaning | Common Causes |
|---|---|---|
401 Unauthorized |
Missing or invalid API key | No Authorization header, expired key, malformed token |
403 Forbidden |
Valid key but insufficient access | Missing required scope, IP not in allowlist |
Error response format:
{
"message": "Authentication required. Provide a valid API key via Authorization: Bearer <token>",
"requestId": "0HN8ABC123"
}Security Best Practices
- Never expose API keys in client-side code — Use server-side calls only
- Use the minimum scopes needed — Only request scopes your integration requires
- Rotate keys regularly — Create new keys and deactivate old ones periodically
- Enable IP allowlisting — Restrict keys to your server's IP addresses
- Use environment variables — Store keys in environment variables, not source code