Installing Sentry creates a resource for the upstream API and the OAuth provider Keycard needs to mint tokens for it. Your app calls Keycard’s token exchange, gets back a token scoped to Sentry, and uses it to call the API directly. Every exchange is governed by your zone’s identity provider, access policies, and audit log - the OAuth client secret stays inside Keycard.
Scopes
Section titled “Scopes”OAuth permissions Keycard requests on install. Override or add scopes in Console.
- event:read
- default
- project:read
- default
- org:read
- default
- org:write
- org:admin
- project:write
- project:admin
- project:releases
- team:read
- team:write
- team:admin
- member:read
- member:write
- member:admin
- event:write
- event:admin
Install
Section titled “Install”Add Sentry to your zone so your app can exchange tokens for it.
Step 1 - Start the install in Keycard Console
Section titled “Step 1 - Start the install in Keycard Console”-
In your zone’s Keycard Console, go to Resources -> Explore Resources.
-
Search for
Sentryand click into the catalog entry. -
The install dialog shows a Redirect URI. Copy it - you’ll paste it into Sentry in Step 2. Leave this Keycard tab open.
Step 2 - Create the OAuth app for Sentry
Section titled “Step 2 - Create the OAuth app for Sentry”Create a Sentry application
Section titled “Create a Sentry application”- Go to Sentry Account Settings → API → Applications
- Click Create New Application
- In the dialog, select Confidential as the application type
- Fill in:
- Name: A descriptive name (e.g., “Keycard”)
- Redirect URL: The redirect URI provided by Keycard
- Click Create Application
Get credentials
Section titled “Get credentials”- After creating the application, copy the Client ID and Client Secret from the application details page
Step 3 - Finish the install in Keycard Console
Section titled “Step 3 - Finish the install in Keycard Console”-
Switch back to the Keycard install dialog you left open in Step 1.
-
Paste the Client ID and Client Secret from Step 2.
-
Click Add Sentry. The resource is provisioned and your app can start exchanging tokens for it.
Use Sentry from your code
Section titled “Use Sentry from your code”Call Sentry from your application with a Keycard-issued token scoped to this resource.
After installing Sentry, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.
from keycardai.oauth import Client, BasicAuth, TokenTypeimport requests
# Exchange the user's Keycard token for a Sentry token.with Client( "https://<zone-id>.keycard.cloud", auth=BasicAuth("<your-client-id>", "<your-client-secret>"),) as client: response = client.exchange_token( subject_token=user_access_token, subject_token_type=TokenType.ACCESS_TOKEN, resource="https://sentry.io/api/0", )
# Call Sentry directly with the exchanged token.r = requests.get( "https://sentry.io/api/0/<endpoint>", headers={"Authorization": f"Bearer {response.access_token}"},)import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", { clientId: "<your-client-id>", clientSecret: "<your-client-secret>",});
const response = await client.exchangeToken({ subjectToken: userAccessToken, resource: "https://sentry.io/api/0",});
// Call Sentry directly with the exchanged token.const res = await fetch("https://sentry.io/api/0/<endpoint>", { headers: { Authorization: `Bearer ${response.accessToken}` },});See the OAuth SDK → Token Exchange reference for the full client API.
Troubleshooting
Section titled “Troubleshooting”Common errors when wiring Sentry into your zone.
Error 401: Invalid token
The access token is invalid or expired. Re-connect the provider. Sentry tokens expire relatively quickly - Keycard handles refresh if the provider issued a refresh token.
Error 403: Forbidden
The token scopes don’t match the endpoint requirements. Verify:
- The scopes in your Sentry application settings
- The scopes configured in your Keycard resource
- That
org:readis included (required for the organizations endpoint)
Next steps
Section titled “Next steps”What to do once Sentry is installed.
Now do this
- Call Sentry from your code - see the
Use Sentry from your codesection above for Python and TypeScript samples.
Recommended
- Decide who can use it - write access policies scoped to the Sentry resource so only the right users and apps reach the API.
- Watch the calls - every token exchange and downstream call lands in your audit log with user identity, resource, and policy decision.
Optional
- Add MCP access too - install the Sentry MCP server for AI agents that need Sentry’s tools, not just the REST API.