Authentication
The Meridian Track API uses API keys for authentication. API keys are scoped to a workspace and can be configured with specific permissions and rate limits.
Creating an API Key
Section titled “Creating an API Key”- Navigate to API Keys in the sidebar of the Meridian Track app
- Click Create API Key
- Configure:
- Name: A descriptive label for the key
- Scopes: Which resources the key can access (read/write per resource)
- Rate Limits: Requests per minute and per hour
- Expiry: Optional expiration date
- Click Create
Using an API Key
Section titled “Using an API Key”Include the API key in the X-API-Key header of every request:
curl https://api.meridiantrack.com/v1/clients \ -H "X-API-Key: mt_live_your_api_key_here"Key Format
Section titled “Key Format”API keys follow the format: mt_live_ followed by a random string (~50 characters total).
The mt_live_ prefix makes keys easily identifiable in code and logs.
Scopes
Section titled “Scopes”Scopes control which resources an API key can access. Each resource has read and write scopes:
| Scope | Access |
|---|---|
clients:read | List and get clients |
clients:write | Create, update, and delete clients |
projects:read | List and get projects |
projects:write | Create, update, and delete projects |
tasks:read | List and get tasks |
tasks:write | Create, update, and delete tasks |
tags:read | List and get tags |
tags:write | Create, update, and delete tags |
time-entries:read | List and get time entries |
time-entries:write | Create, update, and delete time entries |
favorites:read | List and get favorites |
favorites:write | Create, update, and delete favorites |
invoices:read | List and get invoices |
invoices:write | Delete invoices |
If a request requires a scope the key doesn’t have, the API returns a 403 Forbidden error.
Revoking a Key
Section titled “Revoking a Key”To revoke an API key:
- Navigate to API Keys in the app
- Click the revoke button on the key you want to disable
Revoked keys immediately stop working. There may be up to a 5-minute delay due to authorizer caching.
Security Best Practices
Section titled “Security Best Practices”- Use minimal scopes — only grant the permissions your integration needs
- Set expiration dates — rotate keys regularly
- Never commit keys — use environment variables or secrets management
- One key per integration — makes it easy to revoke access for a specific tool
- Monitor usage — check the “Last Used” timestamp to detect unused keys